0

On ESXI server i have several VMs: one with external ip address (and internet access), that is configured as NAT (and plays OpenVPN server role) and several VMs in VLAN (using 192.168.182.*/28 ip addresses).

I have set up OpenVPN server & client as described in debian docs to access those VLAN virtual machines.

Currently i have running (tun) OpenVPN server & client, i can ping each other via tun0 interface.

The problem is that i can't ping from OpenVPN client machines that are in ESXI VLAN. Could you please advise a way to fix that?

OpenVPN client routing table:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         88.198.179.46   0.0.0.0         UG    0      0        0 eth0
10.9.8.1        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
88.198.179.40   0.0.0.0         255.255.255.248 U     0      0        0 eth0

OpenVPN server routing table:

default         static.193.120. 0.0.0.0         UG    0      0        0 eth0
10.9.8.2        *               255.255.255.255 UH    0      0        0 tun0
46.4.120.192    *               255.255.255.224 U     0      0        0 eth0
192.168.182.16  *               255.255.255.240 U     0      0        0 eth1

As i understand, i have to route packets on OpenVPN server to 192.168.182.*/28 VLAN.

I have enabled ipv4 forwarding using following command: echo "1" > /proc/sys/net/ipv4/ip_forward

I have added following rules to iptables (88.198.179.41/29 is client ip/subnet), but this did not help:

*nat
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to-source 46.4.120.218
COMMIT

*filter
-A FORWARD -s 192.168.182.0/24 -d 88.198.179.41/29 -j ACCEPT
-A FORWARD -d 192.168.182.0/24 -s 88.198.179.41/29 -j ACCEPT
COMMIT

Perhaps i have to define some route on VPNClient?

avasin
  • 279
  • 1
  • 5
  • 13
  • 1
    unless yoru open vpn server is your default GW. or your OPENVPN server is doing NAT, you will need to either add a route on your GW, or add routes to all your servers so that packets for your open vpn client IPS wind up at the openvpn server – Doon Jun 12 '15 at 17:22
  • I tried to add OVPN Server as gateway to 192.168 subnet on OVPN Client via command `route add -net 192.168.0.0/24 gw 46.4.120.218`, but this leads to `SIOCADDRT: No such process` error. – avasin Jun 12 '15 at 17:32

1 Answers1

1

You didn't post your openvpn config, but I'm guessing you're missing the route to the rest of the LAN:

push "route 192.168.182.0 255.255.255.240"

This will add the necessary route on the client when they connect. Also, make sure that the other clients on your LAN know to use the OpenVPN server as their gateway for the OpenVPN network.

Jim G.
  • 2,657
  • 1
  • 19
  • 19
  • By `other clients on you LAN` do you mean VMs in VLAN behind OpenVPN server, or OpenVPN clients? I've copied server.conf from examples to /etc/openvpn/server.conf and enabled push as you said.. but nothing changed, i can't still access VLAN VMs :( – avasin Jun 12 '15 at 18:13
  • I mean the VMs behind the server. Please post sanitized server and client conf files, that will eliminate any confusion. – Jim G. Jun 12 '15 at 20:48