How to start the Internet through openvpn client

[sasha-ld]

Openvpn server 10.8.0.1
client1 10.8.0.2
client2 10.8.0.3
How to pass internet for client 2 through openvpn client 1

[Pippin]

Hi,

This might be of help:
viewtopic.php?f=6&t=27421

[sasha-ld]

[Hello!
I tried everything as described in the post, but it didn't work.
openvpn network

Code: Select all

10.8.0.0/24

openvpn server

Code: Select all

eth0 50.50.50.50
tun0 10.8.0.1

Client1

Code: Select all

tun0 10.8.0.200

Client2 (through it you need to access the Internet)

Code: Select all

eth0 60.60.60.60
tun0 10.8.0.254

Server configuration

Code: Select all

local 50.50.50.50
port 443
proto tcp
dev tune
ca ca.crt
certserver.crt
keyserver.key
dh dh.pem
auth SHA512
tls-crypt tc.key
subnet topology
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keep alive 10 120
cipher AES-256-GCM
user nobody
group nobody
persist key
persist-tun
verb 3
crl-verify crl.pem
status /etc/openvpn/server/status.log
log /etc/openvpn/server/ovpn.log
client-config-dir /etc/openvpn/server/ccd

config Client1

Code: Select all

push "subnet topology"
ifconfig-push 10.8.0.200 255.255.255.0

config Client2

Code: Select all

push-reset
push "subnet topology"
ifconfig-push 10.8.0.254 255.255.255.0
iroute 0.0.0.0 0.0.0.0

Then on the server I did the following

Code: Select all

echo "200 vpnclient" >> /etc/iproute2/rt_tables
ip route add 10.08.0.0/24 dev tun0 src 10.8.0.1 table vpnclient
ip route add default via 10.8.0.254 dev tun0 table vpnclient
ip rule add from 10.8.0.200/32 table vpnclient
ip rule add to 10.8.0.200/32 table vpnclient
ip route flush cache

After that, the clients connect, ping each other, but nothing on Client2 in tcpdump -i tun0

Further on the server introduced the rule

Code: Select all

iptables -t nat -A PREROUTING -i tun0 -s 10.8.0.200 -j DNAT --to-destination 10.8.0.254

On Client2

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 60.60.60.60

Packets appeared on Client2 tcpdump -i tun0

Code: Select all

8:38:29.386151 IP 10.8.0.200.51515 > client2.5351: UDP, length 60
18:38:29.461997 IP 10.8.0.200.45324 > client2.domain: 29495+ A? kv601.prod.do.dsp.mp.microsoft.com. (52)
18:38:29.615888 IP 10.8.0.200.65397 > client2.domain: 3950+ A? v10.events.data.microsoft.com. (47)
18:38:29.862947 IP 10.8.0.200.55383 > client2.domain: 20646+ A? wpad.beeline. (thirty)
18:38:29.863002 IP client2 > 10.8.0.200: ICMP client2 udp port domain unreachable, length 66
18:38:30.127900 IP 10.8.0.200.11811 > client2.domain: 59036+ A? bt3.t-ru.org. (thirty)
18:38:30.637075 IP 10.8.0.200.51515 > client2.5351: UDP, length 60
18:38:31.475957 IP 10.8.0.200.65519 > client2.domain: 29495+ A? kv601.prod.do.dsp.mp.microsoft.com. (52)
18:38:31.476023 IP client2 > 10.8.0.200: ICMP client2 udp port domain unreachable, length 88
18:38:31.476768 IP 10.8.0.200.45324 > client2.domain: 29495+ A? kv601.prod.do.dsp.mp.microsoft.com. (52)
18:38:31.629376 IP 10.8.0.200.60819 > client2.domain: 3950+ A? v10.events.data.microsoft.com. (47)
18:38:31.629961 IP 10.8.0.200.65397 > client2.domain: 3950+ A? v10.events.data.microsoft.com. (47)
18:38:32.140961 IP 10.8.0.200.51515 > client2.5351: UDP, length 60
18:38:32.141027 IP client2 > 10.8.0.200: ICMP client2 udp port 5351 unreachable, length 96
18:38:32.141478 IP 10.8.0.200.64152 > client2.domain: 59036+ A? bt3.t-ru.org. (thirty)
18:38:32.141529 IP 10.8.0.200.11811 > client2.domain: 59036+ A? bt3.t-ru.org. (thirty)
18:38:33.869993 IP 10.8.0.200.57426 > client2.domain: 42815+ A? www.msftconnecttest.com. (41)
18:38:33.870057 IP client2 > 10.8.0.200: ICMP client2 udp port domain unreachable, length 77
18:38:33.901916 IP 10.8.0.200.51515 > client2.5351: UDP, length 60
18:38:33.901979 IP client2 > 10.8.0.200: ICMP client2 udp port 5351 unreachable, length 96
18:38:34.877544 IP 10.8.0.200.37417 > client2.domain: 42815+ A? www.msftconnecttest.com. (41)
18:38:34.877626 IP client2 > 10.8.0.200: ICMP client2 udp port domain unreachable, length 77
18:38:35.484699 IP 10.8.0.200.65519 > client2.domain: 29495+ A? kv601.prod.do.dsp.mp.microsoft.com. (52)
18:38:35.524774 IP 10.8.0.200.45324 > client2.domain: 29495+ A? kv601.prod.do.dsp.mp.microsoft.com. (52)
18:38:35.641804 IP 10.8.0.200.60819 > client2.domain: 3950+ A? v10.events.data.microsoft.com. (47)
18:38:35.642384 IP 10.8.0.200.65397 > client2.domain: 3950+ A? v10.events.data.microsoft.com. (47)
18:38:35.889436 IP 10.8.0.200.37417 > client2.domain: 42815+ A? www.msftconnecttest.com. (41)
18:38:35.889513 IP client2 > 10.8.0.200: ICMP client2 udp port domain unreachable, length 77
18:38:35.904666 IP 10.8.0.200.51515 > client2.5351: UDP, length 60

But nothing opens on Client1, although 8.8.8.8 is pinged in the console
Maybe I didn't set up the routing table correctly.

[openvpn_inc]

Hi Sasha,

Please note that "subnet topology" makes no sense in openvpn configuration. There is no --subnet setting to be found in the manual. There is a --topology of course, a server setting, and since you did not set it you get "topology net30" as the default.

There may be more wrong in your configuration, but I didn't have time to go over it in detail, sorry. But I did add a few comments at the post Pippin linked, above.

regards, rob0