0

I have the following scenario:

enter image description here

Server C and Server D can connect just fine to Server A and Server B , but Server B and Server A can not connect to Server C and Server D.

I found some people having the same problem, but not a fix for it.

This is my openvpn client config:

auth-nocache
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/client.crt
cipher AES-256-CBC
client
comp-lzo no
dev tun0
group nogroup
key /etc/openvpn/client/client.key
nobind
persist-key
persist-tun
proto udp
pull-filter ignore "redirect-gateway"
remote REDACTED
remote-cert-tls server
reneg-sec 86400
user nobody
verb 3

This is my server config:

ca /etc/openvpn/keys/ca/pki/ca.crt
cert /etc/openvpn/keys/server/client.crt
cipher AES-256-CBC
comp-lzo no
dev tun0
dh /etc/openvpn/keys/ca/pki/dh.pem
ifconfig-pool-persist /tmp/ipp_udp.txt
keepalive 5 15
key /etc/openvpn/keys/server/client.key
local REDACTED
max-clients 10
mute 10
persist-key
persist-tun
port 1149
proto udp
push "redirect-gateway def1 bypass-dhcp"
push "route 172.16.254.0 255.255.255.0"
rcvbuf 0
reneg-sec 86400
server 172.19.0.0 255.255.255.0
user nobody
verb 3

If I connect to the openvpn server and try to ping the tun0 ip of the openvpn client it works, but if i try to ping the 172.16.0.1 ( another IP on the openvpn client ) it fails, and the strange part is that I do not even see the ICMP packet coming in from the tun0 interface on the openvpn client.

I'd be really glad if someone could help me with this config.

Jose
  • 21
  • 1
  • 2

1 Answers1

0

You must use client-config-dir or client-connect script to generate on-connect configuration for that client. The first method is easier and I'll describe it. You should also read man openvpn (which is very long page, the comprehensive manual of the software) for all the details and for getting into scripting if you want to.

Create the directory somewhere; I usually lay all additional files (certs, keys, crl, moduli and so on) for the VPN named "X" into /etc/openvpn/server/X so this naturally becomes /etc/openvpn/server/X/ccd. In the VPN server add:

route 172.16.0.0 255.255.255.0
client-config-dir /path/to/ccd

Inside this directory put the configuration file named after the common name of the client certificate. (Didn't I tell already every client must have its own unique common name and therefore unique certificate and the hazardous duplicate-cn directive should be removed from the OpenVPN?) Well, if the client CN in the certificate is someclient, you create a file /path/to/ccd/someclient and put inside it at least the following line:

iroute 172.16.0.0 255.255.255.0

The route directive is the command to add route to the OS, so when server starts it will tell OS that when it sees the packet destined for that network it should route it into the VPN. If you have other clients that need to communicate to that client's LAN, you also need to push the same route command.

The server directive makes the OpenVPN process itself to become an additional IP router which has its own routing table. Normally it only contains routes towards inside-VPN peer addresses from the subnet that is specified in the server arguments, but in this case you need to tell it to route an additional network through specific client. The iroute, specified for the particular client, tells it to route the provided network towards that client. You can use management server (management directive) status command or periodic status file dumping (status directive) to see this internal routing table.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45