End goal is to be able to easily access the LAN on either side of a Server-Client/Gateway setup.
Network Notepad Free Ed.
Currently, I'm having what I think are routing or iptable/UFW issues.
From Desktop:
Can ping the Cisco and SSH the R-Pi, nothing else
From OVPN Server:
Can freely ping and access anything on both LAN
From Work LAN:
Can ping & access either LAN freely (it wouldn't earlier, not sure what I changed to get it working)
From phone on 4G+VPN:
Can ping and access either LAN freely
I've mostly been messing about with iptables/UFW, thinking that's where the issue seems to lay, but no clue. Seeing as the OVPN server has free access & responds to Work LAN, I'm assuming at least the routing on the Cisco is good? I have no custom routing on the Desktop/S9 either so the ER-X routes seem to work as well, given they can ping the R-Pi & Cisco.
server.conf
server 192.168.191.0 255.255.255.0
port 110
proto udp
dev tun
topology subnet
route 192.168.0.0 255.255.255.0 192.168.191.1
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 60
cipher AES-128-CBC
user nobody
group nogroup
persist-key
persist-tun
push "dhcp-option DNS 192.168.192.99"
push "dhcp-option WINS 192.168.192.99"
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
status openvpn-status.log
verb 4
port 110
proto udp
dev tun
topology subnet
route 192.168.0.0 255.255.255.0 192.168.191.1
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 60
cipher AES-128-CBC
user nobody
group nogroup
persist-key
persist-tun
push "dhcp-option DNS 192.168.192.99"
push "dhcp-option WINS 192.168.192.99"
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
status openvpn-status.log
verb 4
CCD for R-Pi:
Code: Select all
iroute 192.168.0.0 255.255.255.0
ifconfig-push 192.168.191.6 255.255.255.0
push "route 192.168.192.0 255.255.255.0"
Code: Select all
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A UDP -p tcp -m tcp --dport 110 -j ACCEPT
client
client
dev tun
proto udp
remote DDNS_HERE 110 udp
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert workpi.crt
key workpi.key
remote-cert-tls server
cipher AES-128-CBC
verb 4
auth-nocache
dev tun
proto udp
remote DDNS_HERE 110 udp
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert workpi.crt
key workpi.key
remote-cert-tls server
cipher AES-128-CBC
verb 4
auth-nocache
R-Pi iptables-save dump:
Code: Select all
*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]
# Acceptable UDP traffic
-A UDP -p udp --dport 110 -j ACCEPT
#-A UDP -p udp --dport 53 -j ACCEPT
# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
#-A TCP -p tcp --dport 53 -j ACCEPT
# Acceptable ICMP traffic
# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
# User added whatever
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A INPUT -s 192.168.192.0/24 -j ACCEPT
-A INPUT -s 192.168.191.0/24 -j ACCEPT
#-A INPUT -s 192.168.0.0/24 -j ACCEPT
# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# Commit the changes
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT