Peer to Peer communication between clients

[digiwolff]

Hello guys, this is my first post.

I am currently using a freebsd router/firewall/openvpn server/client called pfsense to establish a VPN between a server and two clients. pfsense only supports peer to peer client communications, so I am setup using peer to peer where device 1 is a server out on the internet, and device 2 and 3 are clients elsewhere. They are successfully connected and can communicate with the server. My goal is to find a way to route traffic from device 2 to device 3 and vice versa. I am hoping someone has a little experience in a similar situation and can help. I will gladly provide any additional information, go easy on me if i forgot anything important =[


I am testing this all on a LAN right now.

Server:
WAN: 192.168.1.147
LAN: 192.168.10.1/24

Client1:
WAN: 192.168.1.141
LAN: 192.168.20.1/24

Client2:
WAN 192.168.1.144
LAN: 192.168.30.1/24

Devices in the LAN of Client1 and Client2 can ping devices in the Server LAN, however the server cannot ping back. I dont need it to. I need devices in the LAN of Client1 to be able to talk to the devices in the LAN of Client2. The Server is configured for Peer-to-Peer w/ Shared Key. It looks like I need something along the lines of a push and route and iroute but I am not very technical so if someone could explain how to use these accordingly it would be a great help





Thanks guys
digiwolff


Configs:

Server:
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.147
ifconfig 192.168.102.1 192.168.102.2
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 1
push "route 192.168.30.1 255.255.255.0"
route 192.168.20.1 255.255.255.0
secret /var/etc/openvpn/server1.secret
comp-lzo
log /var/log/opvn1.log
log-append /var/log/opvn1.log
verb 7



Client 1:
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.141
lport 0
management /var/etc/openvpn/client1.sock unix
remote 192.168.1.147 1194
ifconfig 192.168.102.2 192.168.102.1
route 192.168.10.1 255.255.255.0
secret /var/etc/openvpn/client1.secret
comp-lzo

Client 2 is almost identical

[janjust]

in peer-to-peer mode using static keys only a single client can connect to the server at a time - how did you get two clients to connect at the same time?

[digiwolff]

in peer-to-peer mode using static keys only a single client can connect to the server at a time - how did you get two clients to connect at the same time?

I actually configured two separate servers on the same hardware, one is on port 1194 and one is on port 1195

[janjust]

aha... using 'push' statements in peer-to-peer server config files does not do much, by the way.

if each client can ping the server then it's just a matter of setting up the right routing; make sure ip forwarding is turned on on the server and set up the right routes and iptables rules.

[digiwolff]

aha... using 'push' statements in peer-to-peer server config files does not do much, by the way.

if each client can ping the server then it's just a matter of setting up the right routing; make sure ip forwarding is turned on on the server and set up the right routes and iptables rules.

That is what I need a little guidance with then =]

[janjust]

errrr, don't know how to do all of that on *BSD...

on client1 (subnet .20/24) I'd set up routes by adding

Code: Select all

route 192.168.10.0 255.255.255.0
route 192.168.30.0 255.255.255.0 

to the config file; similarly for client2

the thing I **don't** know how to do is how to set up IP forwarding and/or pf/iptables rules on freebsd - try googling using 'ip forwarding freebsd'

[digiwolff]

great I'll give this a try. Can you break down exactly what the route command does? I mean i understand the syntax but what exactly am I telling it to do.

[janjust]

this is openvpn config file syntax and it tells openvpn to tell the operating system to route all traffic intended for 192.168.10.0 with a netmask of 255.255.255.0 via the VPN tunnel. See the OpenVPN manual page for more details on the exact semantics of the 'route' option.

[digiwolff]

Okay so I understand that totally. once traffic is routed to the server though, how can I route it to the other client? the server cannot ping devices on the client network, only the clients can ping the server, is that normal?

[janjust]

the server can ping the VPN IP of the client, not further: that is normal/by design. If you wish to change that read up on
http://openvpn.net/index.php/open-sourc ... html#scope

[digiwolff]

Yes, i have been able to ping the VPN of the clients. Using this push on both clients will devices on the client1 network to talk to devices on the client2 network? I need all devices on client1 to be able to communicate with all devices on client2, thats why it concerne me the server cant communicate past the virtual nic