1

I am struggling with a specific OpenVPN scenario for a few months now. Researching on Google, reading on Serverfault, browsing Blogs and other forums, messing with my config time and time again. I am not sure anymore, if my requirements even logically work.

Here the scenario:

I have a rented Root-Server, which I use for several services, cloud-storage, backups, etc. To keep it simple, let's call the elements Client1 and Client2 and Server1.

Server1 is using the tun-Device.

  • Client1 Physical Network: 192.168.1.0/24
  • Client2 Physical Network: 192.168.178.0/24
  • Client1 Physical IP: 192.168.1.4

  • Client2 Physical IP: 192.168.178.22

  • Server1 Virtual Network: 192.168.2.0/24

  • Server1 VPN-IP: 192.168.2.1
  • Client1 VPN-IP: 192.168.2.6
  • Client2 VPN-IP: 192.168.2.10

Both clients can connect to the VPN-Server and use it's services without problems. Both Clients can ping the servers VPN-IP successfully. Server1 can't ping the clients VPN-IP's. Both Clients can't ping each others VPN-IP.

I want to connect both clients so that they can communicate as in a physical LAN, but fail to do so.

Here are my configurations.

Server config:

port 1195
proto tcp-server
dev tun1
ca keys/server1/ca.crt
cert keys/server1/openvpn-server.crt
key keys/server1/openvpn-server.key
dh keys/server1/dh4096.pem
server 192.168.2.0 255.255.255.0
crl-verify keys/server1/crl.pem
ifconfig-pool-persist servers/server1/logs/ipp.txt
cipher AES-256-CBC
user nobody
group nogroup
status servers/server1/logs/openvpn-status.log
log-append servers/server1/logs/openvpn.log
verb 2
mute 20
max-clients 100
local XXX.XXX.XXX.245
management 127.0.0.1 8877
keepalive 10 120
client-config-dir /etc/openvpn/servers/server1/ccd
client-to-client
comp-lzo
persist-key
persist-tun
ccd-exclusive
push "redirect-gateway def1"
push "dhcp-option DNS XXX.XXX.XXX.98"
push "route 192.168.2.0 255.255.255.0"

Client1 config:

client
proto tcp-client
dev tun
ca ca.crt
dh dh4096.pem
cert user1.crt
key user1.key
remote XXX.XXX.XXX.245 1195
cipher AES-256-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
push "route-gateway 192.168.2.1"

Client2's config is, besides the certificates, exactly the same.

On the server /etc/sysctl.conf contains the entry net.ipv4.ip_forward=1 Client-Firewalls have been adjusted to let OpenVPN pass through. IP-Forwarding is activated on both Clients per IPEnableRouter registry-switch.

IP-Tables has only one specific extra rule, to enable access to the Internet. 

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j SNAT --to XXX.XXX.XXX.245

Most FAQ's, tutorials or Blog Posts talk about connecting clients of multiple different VPN's. I would like to have my clients in the same VPN. I am at my wits end, I can't get the clients to even ping each other. Is this even possible, or have I completely misunderstood the concept of VPN?

I would appreciate every hint you can give me, to solve this self-created problem.

Edit: Traceroute Client1 -> Server1

traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 60 byte packets
1  19 ms  18 ms  18 ms  192.168.2.1

Traceroute Client1 -> Client2

traceroute to 192.168.2.10 (192.168.2.10), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Traceroute Server1 to Client1 results in the same as Client1 to Client2

Raphael H
  • 21
  • 5
  • if you want your client has an ip address on server network, you need to use openvpn in brigde mode – c4f4t0r Apr 19 '14 at 14:28
  • The client-to-client directive should take care of that. Can you post a `traceroute ` from a client to the server, and from the client to the other client? – MichelZ Apr 19 '14 at 14:31
  • @MichelZ I added the traceroutes in the initial post. This is not making any sense to me, since I defined the gateway as the address of Server1. – Raphael H Apr 19 '14 at 14:49
  • @RagnarT: Can you verify that the route gets pushed successfully on the client? – MichelZ Apr 19 '14 at 14:55
  • @MichelZ this is interesting. "Sat Apr 19 17:05:53 2014 Warning: route gateway is not reachable on any active network adapters: 192.168.2.1" – Raphael H Apr 19 '14 at 15:10
  • @RagnarT: this has probably something to do with it then :) Unfortunately, I don't know how to solve it, as I'm more of a Windows guy :) – MichelZ Apr 19 '14 at 15:53
  • @MichelZ It's fine, you gave me a lot of good input and I got a new lead I can investigate. Thank you! :) – Raphael H Apr 19 '14 at 15:57

1 Answers1

1

I don't know why it is the case, but the solution was to turn off client-to-client. When I had client-to-client enabled, openVPN ignored the Gateway I set and traceroute did not even reach the VPN-Server. After I turned it off, traceroutes were finally routed over the gateway. Adjusting the Firewall to openVPN and it went through on 2 Hops.

To be honest this is mindboggling, since client-to-client does the opposite by definition. I will try to reproduce this on a new environment, since I have a little stomachache by leaving client-to-client off. But for now I will just accept it.

Raphael H
  • 21
  • 5