6

My use case: I want to route all Internet traffic from machine B through machine A. However, I cannot simply install OpenVPN server on machine A as machine A is behind layers of NATs/firewalls I don't control. My current solution is to install OpenVPN server on machine C, and have both machines A and B connect to C as clients. I'm trying to set up proper routes so that all traffic from B can be routed through A. The setup on each machine and the steps I have attempted are detailed below and my remaining problem is in the second to last paragraph.

Now, machine C runs Linux and OpenVPN server in a Docker container (https://github.com/kylemanna/docker-openvpn). With redirect-gateway def1, both client machines can connect and route traffic through the server (https://ipleak.net confirms the server IP). For the following tests though, redirect-gateway def1 is removed, while topology subnet and client-to-client are added. The server has subnet IP 192.168.255.1 and public IP AAA.BBB.CCC.DDD.

machine A runs Windows and has IPEnabledRouter=1 set in HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, Service Routing and Remote Access set to Automatic and running, and the network adapter with Internet access set to allow sharing from the OpenVPN TAP adapter. It is assigned 192.168.255.2.

machine B runs Windows and is behind a router with IP 192.168.1.100. It is assigned OpenVPN subnet IP 192.168.255.3. The following routes are added in addition to what OpenVPN sets up automatically:

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0        128.0.0.0    192.168.255.2    192.168.255.3    259
        128.0.0.0        128.0.0.0    192.168.255.2    192.168.255.3    259
  AAA.BBB.CCC.DDD  255.255.255.255      192.168.1.1    192.168.1.100    291

From machine B, I can ping machine A at 192.168.255.2, but Internet traffic is still routed through the OpenVPN server (ipleak shows AAA.BBB.CCC.DDD). I tried adding a route: route add default gw 192.168.255.2 tun0, but this makes the clients unable to access Internet. The server route table typically looks like:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.19.0.1      0.0.0.0         UG    0      0        0 eth0
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
192.168.254.0   192.168.255.2   255.255.255.0   UG    0      0        0 tun0
192.168.255.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0

How can I make this work?

[EDIT] A little more context on the use case: I need to set up VPN for a division so that their users' home computers machine B can access third-party resources that restrict access based on IP address. The access to machine A is not blocked, but there are at least two layers of NAT/firewalls up the organization, whose admins do not want to change their setup to help with incoming connections. We therefore want to devise a working solution using machine C that may be a VPS as the VPN server. There is an official VPN service but since it is open to certain outside members, the third-party vendor does not wish to allow its IP access.

Network Diagram

Roc W.
  • 207
  • 2
  • 7
  • I'm a little confused about this "on hold" message: I gave **the desired end state / clear problem statement** in the first paragraph, the specific problem or error in the second to last paragraph, sufficient information about the config and environment AND attempted solution in detail throughout the whole post. – Roc W. Aug 07 '19 at 14:42
  • The question is in the review queue to possibly be re-opened - if enough reviewers think that the question is now suitable, it will get re-opened. Personally, I think it should still be closed because it's not a professional way to do things, but I'll let the review process run its course. – Ward - Trying Codidact Aug 09 '19 at 01:40
  • Thanks for the comment. I actually don't have a working solution, let alone a professional one. So if there is a completely different way to achieve what I wanted to do, I would certainly love to learn about it. I just wanted to show what I have tried. Or do you mean what I wanted to do (i.e., the problem statement) is somehow in itself intrinsically flawed? – Roc W. Aug 09 '19 at 01:53
  • Hi, thanks for the edit, but I would add a small network diagram to help. The IP is blocked depending on the range, why the netadmin don't allow your other range ? Managing that workaround will cost you a lot of time to debug for all your users and would add a big bottleneck to access the ressource. – yagmoth555 Aug 13 '19 at 02:23
  • 1
    I added a network diagram. The access to said resources is provided by a third-party vendor, who does not want to deal with users' home network (understandably) or even the organization-wide VPN. – Roc W. Aug 13 '19 at 15:05
  • It's nowhere near the solution you try to do, but did you think that a simple RDS server in your main site could make the ressource available for your remote user, without the need to create such vpn tunnel ? It's a scenario I seen a lot, less complex to deploy too. – yagmoth555 Aug 14 '19 at 02:36
  • @yagmoth555 The problem is that although machine A does have a public IP, for some reason, the network setup is so convoluted that allowing incoming connection to machine A apparently requires some coordination and changing firewall settings on more than one layer. This is also why setting up OpenVPN server on machine A didn't work out. – Roc W. Aug 15 '19 at 15:52
  • 1
    @RocWhite Now you make me doubth my vote. Is it firewall you control, or only the third part vendor that block you ? As it's illogical to create a bypass scenario to bypass your own netadmin department. Such question would be closed back. – yagmoth555 Aug 15 '19 at 16:09
  • 1
    I just found a solution to this problem! To answer your questions though, only the third party blocks access based on IP range. Our own network does not block machineA per se, and as I was saying in meta, our IT admins allow us to set up any servers or VPNs, as long as they don't need to deal with and support it or set up the necessary port forwarding. Now one can argue whether this fits SF's view how professional network should be operated, but to us this is a real and legitimate use case in a real business environment. I do appreciate your patience and help making this question more clear. – Roc W. Aug 17 '19 at 03:48

2 Answers2

3

In principle, the setup should be similar to RoutedLans, except that we cannot simply set machine A to handle 0.0.0.0. This SF answer explains why packets cannot be sent through another client as the gateway using the TUN interface. However, there is a workaround according to the first comment to this answer.

On machine C:

  1. Add the following to the server configuration:
topology subnet
client-to-client

route 1.0.0.0 255.0.0.0
route 2.0.0.0 254.0.0.0
route 4.0.0.0 252.0.0.0
route 8.0.0.0 248.0.0.0
route 16.0.0.0 240.0.0.0
route 32.0.0.0 224.0.0.0
route 64.0.0.0 192.0.0.0
route 128.0.0.0 128.0.0.0

push "route 1.0.0.0 255.0.0.0"
push "route 2.0.0.0 254.0.0.0"
push "route 4.0.0.0 252.0.0.0"
push "route 8.0.0.0 248.0.0.0"
push "route 16.0.0.0 240.0.0.0"
push "route 32.0.0.0 224.0.0.0"
push "route 64.0.0.0 192.0.0.0"
push "route 128.0.0.0 128.0.0.0"
  1. Set iroutes and a static IP for machine A in client-config-dir.
ifconfig-push 192.168.255.2 255.255.255.0
push "route 192.168.255.0 255.255.255.0 192.168.255.1"

iroute 1.0.0.0 255.0.0.0
iroute 2.0.0.0 254.0.0.0
iroute 4.0.0.0 252.0.0.0
iroute 8.0.0.0 248.0.0.0
iroute 16.0.0.0 240.0.0.0
iroute 32.0.0.0 224.0.0.0
iroute 64.0.0.0 192.0.0.0
iroute 128.0.0.0 128.0.0.0

On machine A:

  1. In HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, set IPEnableRouter=1.

  2. Set service Routing and Remote Access to Automatic and make sure it is running.

  3. Set the network adapter with Internet access to allow sharing from the OpenVPN TAP adapter. It appears that sharing has to be disabled and re-enabled every time the machine is rebooted.

On machine B: make sure redirect-gateway def1 is in the client configuration.

Roc W.
  • 207
  • 2
  • 7
0

I had success for similar setup with a client-specific configuration for machine A with a single option:
/etc/openvpn/ccd/machine-a.conf
iroute 0.0.0.0 0.0.0.0

machine B must use one of redirect-gateway options available.

machine C must use this options (among others):

dev tun1
client-to-client
topology subnet
client-config-dir /etc/openvpn/ccd

Checked on OpenVPN 2.6_rc1.

Thanks Roc W for the idea with the handling of 0.0.0.0!

p.s. yes, i've seen in another answers to questions, linked to Roc W's post, that iroute 0.0.0.0 0.0.0.0 doesn't work. But i've done a few checks with tcpdump and ip verification - and it seems working fine. But maybe i've missed something...

Boris
  • 1
  • 1