OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

network access behind OPENVPN server

https://forums.openvpn.net/viewtopic.php?t=30226

Page 1 of 2

network access behind OPENVPN server

Posted: Fri May 01, 2020 11:45 am
by Chris93100
Hello,
I have 2 remote networks one in 192.168.5.0/24 and one 192.168.1.0/24.
An OpenVPN server was installed on a Microsoft server 2016 server in the first network at the address 192.168.5.95.
It delivers addresses on the 10.8.0.x range. and this on port 1199. The OpenVPN server can be addressed by a sub-domain address of type s1.toto.fr. The redirects work, the firewall is configured correctly.
A remote client connects via the Internet and obtains a fixed address 10.8.0.9. Another client in the second network in 192.168.1.150 and obtains a fixed address 10.8.0.5 via the VPN server. A ccd sub-directory fixes the addresses for each client.
It all works well.

My goal is to allow each client to access the computers on each network, in this case two nas synology already in fixed addresses in 192.168.5.16 and 192.168.147

Where I have difficulties is in understanding the syntaxes to add:
- In the configuration file of the OpenVPN server, in particular the route and push route line
- In the files of each client in the ccd directory, in particular the line iroute
- Possibly from the conf file of each client
Or elsewhere, especially to fix the roads
And understand the activation of ip forwarding if necessary
Last clarification, the gateways of routers to the internet are 192.168.5.254 respectively in the first network, that of the OpenVPN server, 192.168.1.1 in the second.


Bonjour,
J’ai 2 réseaux distants un en 192.168.5.0/24 et un 192.168.1.0/24.
Un serveur OpenVPN a été installé sur un serveur Microsoft server 2016 dans le premier réseau à l’adresse 192.168.5.95.
Il délivre des adresses sur la plage 10.8.0.x. et ce sur le port 1199. Le serveur OpenVPN est adressable par une adresse de sous domaine de type s1.toto.fr. Les redirections fonctionnent, le pare-feu est paramétré correctement.
Un client distant se connecte via internet et obtient une adresse fixe 10.8.0.9. Un autre client au sein du second réseau en 192.168.1.150 et obtient une adresse fixe 10.8.0.5 via le serveur VPN. Un sous répertoire ccd fixe les adresses pour chaque client.
Tout cela fonctionne correctement.

Mon objectif est de permettre à chaque client d’accéder aux ordinateurs de chaque réseau, en l’occurrence deux nas synology déjà en adresse fixes en 192.168.5.16 et 192.168.147

Là où j’ai des difficultés, c’est dans la compréhension des syntaxes à ajouter :
- Dans le fichier de configuration du serveur OpenVPN notamment la ligne route et push route
- Dans les fichiers de chaque client dans le répertoire ccd notamment la ligne iroute
- Eventuellement de le fichier conf de chaque client
Voire ailleurs notamment pour fixer les routes
Et comprendre l’activation de l'ip forwarding si nésessaire
Dernière précision les passerelles des routeurs vers internet sont respectivement 192.168.5.254 dans le premier réseau, celui du serveur OpenVPN, 192.168.1.1 dans le second.

Voici mon fichier de config du serveur :

Here is my server config file:

Server config

mode server
port 1199
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\.crt"
key "C:\\Program Files\\OpenVPN\\config\\.key" # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 10.8.0.0 255.255.255.0
;route 192.168.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd"
;client-config-dir ccd
client-to-client
;push "route 192.168.5.0 255.255.255.0"
keepalive 10 120
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 0 #
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1


Celui d’un client j’ai modifié l’adresse du serveur :

That of a client I changed the address of the server:

Client config

client
dev tun
proto udp
remote s1.XXXXXXXX.pro 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client2.crt
key client2.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3


Voici un exemple d’un fichier des paramètres spécifiques d’un client dans le répertoire ccd :

Here is an example of a client-specific settings file in the ccd directory:

Code: Select all

ifconfig-push 10.8.0.5 10.8.0.6
iroute 192.168.5.0 255.255.255.0
Merci pour votre aide.

Thanks for your help.

Re: FR acces reseau derrriere serveur OPENVPN

Posted: Fri May 01, 2020 12:22 pm
by Pippin
English please.

Re: network access behind OPENVPN server

Posted: Fri May 01, 2020 3:24 pm
by ecrist
Hi Chris93100 - I've closed the report of Pippin's comment since it wasn't offensive or otherwise against the rules. This is an english-speaking forum, so the feedback was legitimate.

Thanks

Re: network access behind OPENVPN server

Posted: Fri May 01, 2020 5:59 pm
by Chris93100
ecrist wrote:
Fri May 01, 2020 3:24 pm
 Hi Chris93100 - I've closed the report of Pippin's comment since it wasn't offensive or otherwise against the rules. This is an english-speaking forum, so the feedback was legitimate.

Thanks
Hi, sorry, I am deceived. I wanted to inform him that I had put my text in English. cordially

Re: network access behind OPENVPN server

Posted: Fri May 01, 2020 7:04 pm
by TinCanTech
I notice that you are using --topology net30 (See --topology in the manual)

It is usually much easier to understand if you use --topology subnet

Re: network access behind OPENVPN server

Posted: Sat May 02, 2020 2:58 pm
by Chris93100
TinCanTech wrote:
Fri May 01, 2020 7:04 pm
 I notice that you are using --topology net30 (See --topology in the manual)

It is usually much easier to understand if you use --topology subnet

Thanks for your help. Indeed, I modified the server configuration file with "topology subnet". I have ping from clients to the server, and from client to client. I am continuing my research on the understanding of routings. Note a very interesting course https://openclassrooms.com/fr/courses/8 ... le-routage on openclassroom.com (in French). It is starting to be clearer for me.
I still have to define routes if necessary.

Re: network access behind OPENVPN server

Posted: Sun May 03, 2020 12:32 pm
by 300000
If you want all client can access to 192.168.1.*
and 192.168.5.*0 just add two line into your server confis as


push "route 192.168.1.0 255.255.255.0"

push "route 192.168.5.0 255.255.255.0"


All that is for all client can access to all subnet 192.168.1.* and 192.168.5.*

Re: network access behind OPENVPN server

Posted: Wed May 06, 2020 6:21 pm
by Chris93100
300000 wrote:
Sun May 03, 2020 12:32 pm
 If you want all client can access to 192.168.1.*
and 192.168.5.*0 just add two line into your server confis as


push "route 192.168.1.0 255.255.255.0"

push "route 192.168.5.0 255.255.255.0"


All that is for all client can access to all subnet 192.168.1.* and 192.168.5.*
Hi. It's not enough.

I installed an OpenVPN server on a Windows Microsoft server 2016 machine.

My goal is to link two sites and allow access to the two networks (NAS, Printer), including on the go.

I have no problem setting up the OpenVPN network. But of course when I want to access the machines behind the VPN server and one of the clients, there I get stuck.

However, I pushed the routes, and tried to modify the static routes on the box of the second network and of the machines in question but nothing does even by cutting all the firewalls.

Here is the configuration:

-The site A is in 192.169.5.0, the site B in 192.168.1.0 so no address conflict

-The VPN server creates addresses in 10.8.0.0, is found at the address 10.8.0.1

-A computer is Client1 in VPN on site B. A laptop is client2 on the go

-A ccd directory contains two files Client 1 and Client2 which assign a fixed address to each, respectively 10.8.0.5 for client1 and 10.8.0.9 for client2. The file contains the syntax iroute to access the local network of each site. Routes are defined and pushed by the server conf file.

-As advised by OpenVPN, the subnet and activated topology syntax

-Machines are client-to-client.

A ping on each client in the direction of the other responds to their VPN address.

On the other hand, on each client when we try to ping the network located behind the other client or the server, there is no result, ping 195.162.5.16 or 95 for example.

However, looking at the server log file, everything seems to be going normally, the routes are well pushed towards the clients as the case may be.

So I figured he was missing the return route. This would mean for example on client2, it would be advisable to add a route to the network 192.168.5.0.

So I added the route with the following syntax "route add 192.168.5.0/24 10.8.0.9" but without success.

I list the server conf file, that of a client, the options files and the server log file.

I am at the disposal of anyone who will help me with the various routing tables if necessary.

Could the problem be due to the fact that either the server or the computer client1 use a gateway on their box to reach the internet?

Another clarification: when the VPN is active, you lose access to the local network on site B

Server configuration file:

Code: Select all

################################################
# Sample OpenVPN 2.0 config file for            #
 
port 1199
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\.crt"
key "C:\\Program Files\\OpenVPN\\config\\.key" # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
topology subnet
server 10.8.0.0 255.255.255.0
route 192.168.5.0 255.255.255.0
route 192.168.1.0 255.255.255.0
; ifconfig-pool-persist ipp.txt
client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd"
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
client-to-client
keepalive 10 120
tls-auth  "C:\\Program Files\\OpenVPN\\config\\ta.key" 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
config client :

Code: Select all

client
dev tun
ver.
;proto tcp
proto udp
remote s1.XXXXXXXX.pro 1199
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client2.crt
key client2.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
options for Client1

Code: Select all

ifconfig-push 10.8.0.5 255.255.255.0
iroute 192.168.5.0 255.255.255.0
options for Client2

Code: Select all

ifconfig-push 10.8.0.9 255.255.255.0
iroute 192.168.1.0 255.255.255.0
iroute 192.168.5.0 255.255.255.0
server log

Code: Select all

Wed May 06 15:50:53 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Wed May 06 15:50:53 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed May 06 15:50:53 2020 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Wed May 06 15:50:53 2020 Diffie-Hellman initialized with 2048 bit key
Wed May 06 15:50:53 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 06 15:50:53 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 06 15:50:53 2020 interactive service msg_channel=0
Wed May 06 15:50:53 2020 ROUTE_GATEWAY 192.168.5.254/255.255.255.0 I=11 HWADDR=4c:cc:6a:bf:92:0a
Wed May 06 15:50:53 2020 open_tun
Wed May 06 15:50:53 2020 TAP-WIN32 device [Connexion au réseau local] opened: \\.\Global\{9C01F3CA-73CC-4CA1-AA41-92536F355D86}.tap
Wed May 06 15:50:53 2020 TAP-Windows Driver Version 9.24
Wed May 06 15:50:53 2020 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.1/255.255.255.0 [SUCCEEDED]
Wed May 06 15:50:53 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.0 on interface {9C01F3CA-73CC-4CA1-AA41-92536F355D86} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Wed May 06 15:50:53 2020 Sleeping for 10 seconds...
Wed May 06 15:51:03 2020 Successful ARP Flush on interface [12] {9C01F3CA-73CC-4CA1-AA41-92536F355D86}
Wed May 06 15:51:03 2020 C:\Windows\system32\route.exe ADD 192.168.5.0 MASK 255.255.255.0 10.8.0.2
Wed May 06 15:51:03 2020 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed May 06 15:51:03 2020 Route addition via IPAPI succeeded [adaptive]
Wed May 06 15:51:03 2020 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.2
Wed May 06 15:51:03 2020 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed May 06 15:51:03 2020 Route addition via IPAPI succeeded [adaptive]
Wed May 06 15:51:03 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Wed May 06 15:51:03 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 06 15:51:03 2020 setsockopt(IPV6_V6ONLY=0)
Wed May 06 15:51:03 2020 UDPv6 link local (bound): [AF_INET6][undef]:1199
Wed May 06 15:51:03 2020 UDPv6 link remote: [AF_UNSPEC]
Wed May 06 15:51:03 2020 MULTI: multi_init called, r=256 v=256
Wed May 06 15:51:03 2020 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Wed May 06 15:51:03 2020 Initialization Sequence Completed
Wed May 06 15:51:06 2020 83.200.45.240:61536 TLS: Initial packet from [AF_INET6]::ffff:83.200.45.240:61536, sid=cff1a0a2 f41ae255
...
Wed May 06 15:51:07 2020 83.200.45.240:61536 peer info: IV_GUI_VER=OCmacOS_3.1.3-713
Wed May 06 15:51:07 2020 83.200.45.240:61536 peer info: IV_VER=3.git::f225fcd0
Wed May 06 15:51:07 2020 83.200.45.240:61536 peer info: IV_PLAT=win
Wed May 06 15:51:07 2020 83.200.45.240:61536 peer info: IV_NCP=2
Wed May 06 15:51:07 2020 83.200.45.240:61536 peer info: IV_TCPNL=1
Wed May 06 15:51:07 2020 83.200.45.240:61536 peer info: IV_PROTO=2
Wed May 06 15:51:07 2020 83.200.45.240:61536 peer info: IV_AUTO_SESS=1
Wed May 06 15:51:07 2020 83.200.45.240:61536 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed May 06 15:51:07 2020 83.200.45.240:61536 [Client1] Peer Connection Initiated with [AF_INET6]::ffff:83.200.45.240:61536
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 OPTIONS IMPORT: reading client specific options from: C:\Program Files\OpenVPN\config\ccd\Client1
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 MULTI: Learn: 10.8.0.5 -> Client1/83.200.45.240:61536
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 MULTI: primary virtual IP for Client1/83.200.45.240:61536: 10.8.0.5
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 MULTI: internal route 192.168.5.0/24 -> Client1/83.200.45.240:61536
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 MULTI: Learn: 192.168.5.0/24 -> Client1/83.200.45.240:61536
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 REMOVE PUSH ROUTE: 'route 192.168.5.0 255.255.255.0'
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 SENT CONTROL [Client1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.5 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May 06 15:51:07 2020 Client1/83.200.45.240:61536 IP packet with unknown IP version=0 seen
Wed May 06 15:51:07 2020 MULTI: Learn: 192.168.5.254 -> Client1/83.200.45.240:61536
Wed May 06 15:51:07 2020 92.184.117.89:37705 TLS: Initial packet from [AF_INET6]::ffff:92.184.117.89:37705, sid=f79fb9d0 469b504a
....
Wed May 06 15:51:08 2020 92.184.117.89:37705 peer info: IV_GUI_VER=OCmacOS_3.1.3-713
Wed May 06 15:51:08 2020 92.184.117.89:37705 peer info: IV_VER=3.git::f225fcd0
Wed May 06 15:51:08 2020 92.184.117.89:37705 peer info: IV_PLAT=win
Wed May 06 15:51:08 2020 92.184.117.89:37705 peer info: IV_NCP=2
Wed May 06 15:51:08 2020 92.184.117.89:37705 peer info: IV_TCPNL=1
Wed May 06 15:51:08 2020 92.184.117.89:37705 peer info: IV_PROTO=2
Wed May 06 15:51:08 2020 92.184.117.89:37705 peer info: IV_AUTO_SESS=1
Wed May 06 15:51:08 2020 92.184.117.89:37705 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed May 06 15:51:08 2020 92.184.117.89:37705 [Client2] Peer Connection Initiated with [AF_INET6]::ffff:92.184.117.89:37705
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 OPTIONS IMPORT: reading client specific options from: C:\Program Files\OpenVPN\config\ccd\Client2
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 MULTI: Learn: 10.8.0.9 -> Client2/92.184.117.89:37705
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 MULTI: primary virtual IP for Client2/92.184.117.89:37705: 10.8.0.9
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 MULTI: internal route 192.168.5.0/24 -> Client2/92.184.117.89:37705
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 MULTI: Learn: 192.168.5.0/24 -> Client2/92.184.117.89:37705
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 MULTI: internal route 192.168.1.0/24 -> Client2/92.184.117.89:37705
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 MULTI: Learn: 192.168.1.0/24 -> Client2/92.184.117.89:37705
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 REMOVE PUSH ROUTE: 'route 192.168.5.0 255.255.255.0'
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 REMOVE PUSH ROUTE: 'route 192.168.1.0 255.255.255.0'
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 SENT CONTROL [Client2]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.9 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May 06 15:51:08 2020 Client2/92.184.117.89:37705 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May 06 15:51:11 2020 MULTI: Learn: 192.168.5.254 -> Client2/92.184.117.89:37705
Wed May 06 15:51:13 2020 Client1/83.200.45.240:61536 MULTI: Learn: 192.168.1.1 -> Client2/92.184.117.89:37705
Wed May 06 15:51:32 2020 Client1/83.200.45.240:61536 MULTI: Learn: 192.168.1.147 -> Client2/92.184.117.89:37705
Wed May 06 15:51:39 2020 Client1/83.200.45.240:61536 MULTI: Learn: 192.168.1.148 -> Client2/92.184.117.89:37705
Wed May 06 15:52:19 2020 MULTI: Learn: 192.168.5.16 -> Client2/92.184.117.89:37705
Wed May 06 15:52:50 2020 Client1/83.200.45.240:61536 MULTI: Learn: 192.168.1.147 -> Client2/92.184.117.89:37705
Wed May 06 15:53:03 2020 Client1/83.200.45.240:61536 MULTI: Learn: 192.168.1.149 -> Client2/92.184.117.89:37705

Re: network access behind OPENVPN server

Posted: Wed May 06, 2020 6:32 pm
by 300000
you said My goal is to link two sites and allow access to the two networks (NAS, Printer)

that you need site to site connection between to so every client can connect . the way you setup now is client to site only so dont expect openvpn client can communication client on the server openvpn.

when you setup site to site you need iroute you need to name the file as the same name of commo name certificate from client , so when client try connect to server . server scant its certificate name and add routing infor into its routing table ,

when you finish that so every point openvpn know when it send route. come back to how to and study site to site connection and iroute , try to make it work first.

Re: network access behind OPENVPN server

Posted: Wed May 06, 2020 6:45 pm
by TinCanTech
Chris93100 wrote:
Wed May 06, 2020 6:21 pm
 options for Client1

Code: Select all

ifconfig-push 10.8.0.5 255.255.255.0
iroute 192.168.5.0 255.255.255.0
options for Client2

Code: Select all

ifconfig-push 10.8.0.9 255.255.255.0
iroute 192.168.1.0 255.255.255.0
iroute 192.168.5.0 255.255.255.0
Two different clients can not have the same --iroute at the same time..

Re: network access behind OPENVPN server

Posted: Wed May 06, 2020 8:00 pm
by 300000
let me write some hint for you and you can try

let say your server subnet is 192.168.5.0/24 and client subnet is 192.168.1.0/24

the main thing you want to do is connect every client on both can communication through openvpn.

first you must advertise the 192.168.5.0/24 subnet to VPN clients as being accessible through the VPN.so you need push this subnet to client . just add this on server config

push "route 192.168.5.0 255.255.255.0"

and then you need to add subnet of client to server's routing table by this command . just add this on server config

route 192.168.1.0 255.255.255.0

Next, ask yourself if you would like to allow network traffic between client1 subnet 192.168.1.0/24 and other clients of the OpenVPN server. If so, add the following to the server config file.

client-to-client push "route 192.168.1.0 255.255.255.0"



find out the name of certificate of the client and make a file as the same name as common name for example client1

create dir call ccd and place the file you create , open that file and add this line on.this tell the openvpn server that subnet 192.168.1.0/24 should route through openvpn client1

iroute 192.168.1.0 255.255.255.0
ifconfig-push 10.8.0.5 255.255.255.0

that is all you need , you need to try first and make it work for you.


openvpn is point to point connection so if you need both client and server ip routing , you need to do the same ip routing so it can do site to site. if not only one way and dont forget that.

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 12:22 pm
by Chris93100
TinCanTech wrote:
Wed May 06, 2020 6:45 pm
Chris93100 wrote:
Wed May 06, 2020 6:21 pm
 options for Client1

Code: Select all

ifconfig-push 10.8.0.5 255.255.255.0
iroute 192.168.5.0 255.255.255.0
options for Client2

Code: Select all

ifconfig-push 10.8.0.9 255.255.255.0
iroute 192.168.1.0 255.255.255.0
iroute 192.168.5.0 255.255.255.0
Two different clients can not have the same --iroute at the same time..

Hi and thank you for your help.
Can you explain to me the function of iroute ? I thought it was so that the client could access this route. But in fact it seems to be pushed by the route and the push of the server config file

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 12:26 pm
by TinCanTech
Chris93100 wrote:
Thu May 07, 2020 12:22 pm
 Can you explain to me the function of iroute ?
--iroute network [netmask]
Generate an internal route to a specific client. The netmask parameter, if omitted, defaults to 255.255.255.255.

This directive can be used to route a fixed subnet from the server to a particular client, regardless of where the client is connecting from. Remember that you must also add the route to the system routing table as well (such as by using the --route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.

From the manual.

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 12:50 pm
by Chris93100
300000 wrote:
Wed May 06, 2020 8:00 pm
 let me write some hint for you and you can try

let say your server subnet is 192.168.5.0/24 and client subnet is 192.168.1.0/24

the main thing you want to do is connect every client on both can communication through openvpn.

first you must advertise the 192.168.5.0/24 subnet to VPN clients as being accessible through the VPN.so you need push this subnet to client . just add this on server config

push "route 192.168.5.0 255.255.255.0"

and then you need to add subnet of client to server's routing table by this command . just add this on server config

route 192.168.1.0 255.255.255.0

Next, ask yourself if you would like to allow network traffic between client1 subnet 192.168.1.0/24 and other clients of the OpenVPN server. If so, add the following to the server config file.

client-to-client push "route 192.168.1.0 255.255.255.0"



find out the name of certificate of the client and make a file as the same name as common name for example client1

create dir call ccd and place the file you create , open that file and add this line on.this tell the openvpn server that subnet 192.168.1.0/24 should route through openvpn client1

iroute 192.168.1.0 255.255.255.0
ifconfig-push 10.8.0.5 255.255.255.0

that is all you need , you need to try first and make it work for you.
Okay, and thank you for your help.

So, I take my news server config file :

Code: Select all

mode server
port 1199
proto udp
dev tun
topology subnet
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\.crt"
key "C:\\Program Files\\OpenVPN\\config\\.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd"

push "route 192.168.5.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
client-to-client
push "route 192.168.1.0 255.255.255.0"

keepalive 10 120
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 0
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
And for cdd files :
Client1

Code: Select all

ifconfig-push 10.8.0.5 255.255.255.0
iroute 192.168.1.0 255.255.255.0
Client2

Code: Select all

ifconfig-push 10.8.0.9 255.255.255.0
Is it correct ?

I tkink i must add route
on client1 : route add-net 192.168.5.0 netmask 255.255.255.0 gw 10.8.0.1

on client 2 : route add-net 192.168.5.0 netmask 255.255.255.0 gw 10.8.0.1
and route add-net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.1.5

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 1:03 pm
by Chris93100
TinCanTech wrote:
Thu May 07, 2020 12:26 pm
Chris93100 wrote:
Thu May 07, 2020 12:22 pm
 Can you explain to me the function of iroute ?
--iroute network [netmask]
Generate an internal route to a specific client. The netmask parameter, if omitted, defaults to 255.255.255.255.

This directive can be used to route a fixed subnet from the server to a particular client, regardless of where the client is connecting from. Remember that you must also add the route to the system routing table as well (such as by using the --route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.

From the manual.
Good
My new files :
Client1

Code: Select all

ifconfig-push 10.8.0.5 255.255.255.0
iroute 192.168.1.0 255.255.255.0
Client2

Code: Select all

ifconfig-push 10.8.0.9 255.255.255.0

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 2:12 pm
by Chris93100
Now, with your help !!!

Client1 -> 192.168.5.0 OK
Client2 <-> Client1 OK
Client 2 -> 192.168.5.0 OK
But
Client2 -> 192.168.1.0 NO OK !!!!!

And when openvpn is ON, there is no ping from 192.168.1.150 (client1) -> a other PC of this network for example gatway internet 192.168.1.1

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 4:16 pm
by 300000
You need draw a picture so people can understand what ?the first you wrote 2 subnet 192.168.5.0 and 192.168.1.0 . Now you add one more subnet client somewhere 192.168.147.0 that is so trouble . Picture make it more easy

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 4:35 pm
by 300000
what iroute does is only adding route to system so it need to make site to site work. you can add many as route as you like on openvpn if you understand the way it work


let say client1 >>>>>openvpnser>>>>>>>>internet router >>>>>>>internet router2 >> client2 client3



what if client1 want to ping to client 3 so the route shout go to openvpnser go thought client2 and go to client3

internet router2 192.168.5.1
client 10.8.0.3

on the openvpn server it need route

route 192.168.5.0 255.255.255.0
cdd client1 have iroute

iroute 192.168.5.0 255.255.255.0

it is the same route add 192.168.5.0 mask 255.255.255.0 10.8.0.3

address client2 is base on name cdd commond certificate name so we dont need it in iroute 192.168.5.0 255.255.255.0 only subnet mask is ok but that is the way it work.

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 4:57 pm
by Chris93100
Here is the diagram requested:

Image

Re: network access behind OPENVPN server

Posted: Thu May 07, 2020 5:20 pm
by 300000
that is where point to point works , on the client1 you need to ip routing as openver so client1 active as router. i dont know what os run on client1
so from client1 it can route to every client in that network.

just do ip routing as openver server on client1
All times are UTC
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/