Full routing between networks
Posted: Mon Jul 20, 2020 9:17 am
Hello everyone!
Being completely new to OpenVPN and only working with Linux rarely, I started setting up an OpenVPN server in a Ubuntu Server 18.04 VM on my Windows server at home.
My goal was to be completely transparent between my Homenetwork and the VPN-network, being able to reach all devices from all directions.
It took me quite some time googling, testing and trial'n'error, but I've finally managed to set it up in a way that I can even reach the VPN-Clients from any Client in the homenetwork.
My question now is, since I'm a little insecure especially regarding the firewall rules:
Is the way I've set this up the proper way, or are there any easier or more secure ways to di it?
Thanks in advance!
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/OpenVPN_---.crt
key /etc/openvpn/easy-rsa/pki/private/OpenVPN_---.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DOMAIN fritz.box"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s '10.8.0.0/24' -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.2.31
iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 10.8.0.1
Being completely new to OpenVPN and only working with Linux rarely, I started setting up an OpenVPN server in a Ubuntu Server 18.04 VM on my Windows server at home.
My goal was to be completely transparent between my Homenetwork and the VPN-network, being able to reach all devices from all directions.
It took me quite some time googling, testing and trial'n'error, but I've finally managed to set it up in a way that I can even reach the VPN-Clients from any Client in the homenetwork.
My question now is, since I'm a little insecure especially regarding the firewall rules:
Is the way I've set this up the proper way, or are there any easier or more secure ways to di it?
Thanks in advance!
Server
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/OpenVPN_---.crt
key /etc/openvpn/easy-rsa/pki/private/OpenVPN_---.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DOMAIN fritz.box"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
Firewall
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s '10.8.0.0/24' -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.2.31
iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 10.8.0.1