Connecting to Webserver on VPNServer
Posted: Fri Jul 30, 2021 8:40 am
Hi everyone,
I have a small configuration Problem:
Server: CentOS 7 + OpenVPN 2.4.11
local <PUBLICIP>
port 443
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
compress lzo
user nobody
group nobody
persist-key
persist-tun
status /dev/shm/openvpn-status.log
verb 3
client-disconnect /etc/openvpn/disconnect.sh
ping-timer-rem
push "ping-timer-rem"
up /etc/openvpn/up.sh
tls-verify /etc/openvpn/tls-verify.sh
client-connect /etc/openvpn/client-connect.sh
route-pre-down /etc/openvpn/route-pre-down.sh
client-disconnect /etc/openvpn/client-disconnect.sh
down /etc/openvpn/down.sh
learn-address /etc/openvpn/learn-address.sh
management 127.0.0.1 4711
script-security 2
fragment 0
mssfix 0
Clients: Linux (Ubuntu + Manjaro with OpenVPN 2.5.2 + 2.5.3), Windows 10, Android (OpenVPN for Android 0.7.22), Mac (Tunnelblick 3.8.5)
auth-user-pass pwd
client
dev tun
remote <PUBLILCIP> 3389 tcp-client
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
key-direction 1
allow-recursive-routing
push "dhcp-option DNS 192.168.50.27"
push "dhcp-option DOMAIN <domain>"
push "comp-lzo"
push "route 192.168.50.0 255.255.255.0"
push "route <PUBLICIP> 255.255.255.255"
Now Im running a Webserver on <PUBLICIP>. Connecting with Android and Windows works and I can access the webserver. The webserver sees as remote ip the <PUBLICIP>. Thats good and the expected behaviour as the sites should only accessible through the VPN.
Connecting with Linux dows work, but there is no ping possible to the internal 192.168.50.0/24 nor the <PUBLICIP> nor othe rpublic IPs (ex. 8.8.8.8).
If I delete the route <PUBLICIP> 255.255.255.255 from the ccd then I could ping the internal 192.168.50.0/24, but the webserver sees my remoteip.
Why does this work with Android, Windows and Mac, but not with Linux? Any suggestions?
Thank you for your help.
with kind regards,
Bernd.
I have a small configuration Problem:
Server: CentOS 7 + OpenVPN 2.4.11
Server Config
local <PUBLICIP>
port 443
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
compress lzo
user nobody
group nobody
persist-key
persist-tun
status /dev/shm/openvpn-status.log
verb 3
client-disconnect /etc/openvpn/disconnect.sh
ping-timer-rem
push "ping-timer-rem"
up /etc/openvpn/up.sh
tls-verify /etc/openvpn/tls-verify.sh
client-connect /etc/openvpn/client-connect.sh
route-pre-down /etc/openvpn/route-pre-down.sh
client-disconnect /etc/openvpn/client-disconnect.sh
down /etc/openvpn/down.sh
learn-address /etc/openvpn/learn-address.sh
management 127.0.0.1 4711
script-security 2
fragment 0
mssfix 0
Clients: Linux (Ubuntu + Manjaro with OpenVPN 2.5.2 + 2.5.3), Windows 10, Android (OpenVPN for Android 0.7.22), Mac (Tunnelblick 3.8.5)
Client Config
auth-user-pass pwd
client
dev tun
remote <PUBLILCIP> 3389 tcp-client
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
key-direction 1
allow-recursive-routing
Client Config
push "dhcp-option DNS 192.168.50.27"
push "dhcp-option DOMAIN <domain>"
push "comp-lzo"
push "route 192.168.50.0 255.255.255.0"
push "route <PUBLICIP> 255.255.255.255"
Now Im running a Webserver on <PUBLICIP>. Connecting with Android and Windows works and I can access the webserver. The webserver sees as remote ip the <PUBLICIP>. Thats good and the expected behaviour as the sites should only accessible through the VPN.
Connecting with Linux dows work, but there is no ping possible to the internal 192.168.50.0/24 nor the <PUBLICIP> nor othe rpublic IPs (ex. 8.8.8.8).
If I delete the route <PUBLICIP> 255.255.255.255 from the ccd then I could ping the internal 192.168.50.0/24, but the webserver sees my remoteip.
Why does this work with Android, Windows and Mac, but not with Linux? Any suggestions?
Thank you for your help.
with kind regards,
Bernd.