3

I have the following structure:

Network diagram

What I'd like to achieve is essentially route ALL traffic from laptop clients (and any possible future client) through MacOS OpenVPN client in internal network.

I know the easiest thing would be to run OpenVPN server on MacOS internal server however it is behind proxy and firewall and can't be accessed from the outside (ssh tunneling is not an option in my case) - this is why I have such a strange structure.

How clients and server should be configured to achieve this?

Bertrand Martel
  • 103
  • 1
  • 4
Michal Tokarz
  • 31
  • 1
  • 4
  • Can you be more clear on how you want the traffic to flow? Do you want to route all traffic (all Internet bound traffic? all traffic to specific subnets?) from MacOS_user -> MasOS_onPrem -> AmazonEC2 ? Some more detail would be helpful. – Ben Franske Sep 26 '17 at 16:45
  • Hi Ben, I've updated question with a diagram, I hope it's more clear now. – Michal Tokarz Sep 27 '17 at 13:47

1 Answers1

4

it is possible to route a subnet that is accessible only via another openVPN client using ccd scripts

For example in your case, you would have to add on your AWS server configuration resembling this

Let's assume that 10.80.0.1 is the IP of your AWS VPN Gateway (The VPN address, not external IP), and 10.0.2.0/24 is the subnet that you wish to route via MacOS server

in file /etc/openvpn/ccd/macos_vpn_commonname

iroute 10.0.2.0 255.255.255.0 push "route 10.0.2.0 255.255.255.0 10.80.0.1" route 10.0.2.0 255.255.255.0 10.80.0.1"

You also need a line In your OpenVPN server main config file on the AWS server
client-config-dir /etc/openvpn/ccd

What it does it tells OpenVPN server upon the macos_vpn_commonname client connection, that the subnet 10.0.2.0 /24 is reachable via that client and enables routing via that tunnel. As far as I was testing there is no other way to do it, even manually routing the traffic via previously created tunnel will not work.

That would cover routing the subnet through a MacOS server. If you need to redirect ALL traffic through it then let me know and I will try to help you further using iprule / iproute on the AWS OpenVPN server and redirect-gateway directive, as I'm not sure if OpenVPN is prepared for such scenario with internal mechanisms.

bocian85
  • 822
  • 5
  • 10
  • 1
    Just found out that if you want to route all traffic, `iroute 0.0.0.0 0.0.0.0` does not work. You have to use `iroute 1.0.0.0 255.0.0.0 iroute 2.0.0.0 254.0.0.0 iroute 4.0.0.0 252.0.0.0 iroute 8.0.0.0 248.0.0.0 iroute 16.0.0.0 240.0.0.0 iroute 32.0.0.0 224.0.0.0 iroute 64.0.0.0 192.0.0.0 iroute 128.0.0.0 128.0.0.0` – Chris Mar 18 '18 at 11:22
  • Well, yes, because I don't think it was designed to do that (I would have to check if that route even works), in openvpn you have a `redirect-gateway local def1` directive to do just that (redirect all traffic through VPN) - have you tried that ? Your approach is more like hammering the routes forcefully – bocian85 Mar 28 '18 at 15:48
  • Yes, I do, but is not enough. I have `push "redirect-gateway def1"`in the ccd for the routed client, and all the iroutes in the ccd for the client acting as a gateway. This way all traffic from the routed client is forwarded/routed via the server to another client that acts as a default gateway. – Chris Mar 28 '18 at 20:00
  • 2
    You are a god, @Chris! I was banging my head on this issue for the last 3 hours. I had eventually assumed that `iroute 0.0.0.0 0.0.0.0` wouldn't work, but I tried `iroute 0.0.0.0 128.0.0.0` and `iroute 128.0.0.0 128.0.0.0` to no avail and pretty much gave up. Then I found this post. Your numerous `iroute` statements make all the difference. **Thank you.** P.S. - This is the **worst** topic to try and google, because pretty much **everyone** just wants to use a VPN to watch Netflix in other countries (& etc), not for wacky site-to-site purposes like this. :) – s.co.tt Sep 24 '19 at 06:27