Openvpn server route traffic for everybody except for himself?

Question

I want to set a subnet to subnet vpn gateway with Openvpn which should look like this:

[gwA]===[devA1]===[ovpnServer]<---vpn--->[ovpnClient]===[devB1]===[gwB]

[gw?] are default gateways of my subnets
[devA1] is the first of N computers on my openvpn server's subnet
[devB1] is the first of M computers on my openvpn client's subnet

This is not my first try with openvpn. I did several configuration like this, without having problem I can not resolve by myself. But this time, I have no more ideas.

I use tun interfaces on my openvpn nodes and apply all the documentation on routing and firewalling correctly.

My problem is:
- I can ping ovpnClient from ovpnServer
- I can ping ovpnServer from ovpnClient
- I can ping ovpnClient from any devA?
- I can ping ovpnServer from any devB?
- I can ping any devA? from ovpnClient
- I can not ping any devB? from ovpnServer (1)
- I can ping any devA? from any devB?
- I can ping any devB? from any devA?
(1) But I can ping any devB? from ovpnServer if I use my ovpnServer eth0 interface as my ping interface ("ping -I ${lanIP} ${any-devB-IP}")

I'm note sure, but I suppose that my Linux ovpnServer system choose the tun0's IP as the IP from which to ping devB? machines. If that is correct, then this dont work with that IP. But it works with the eth0's IP as the ping source IP!

Any advice to make my routing fully works?

Here are my iptables rules:

ovpnServer >$ iptables --list-rules:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N f2b-sshd
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m set --match-set minuteman dst,dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m set --match-set minuteman dst,dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION -j RETURN
-A f2b-sshd -j RETURN

ovpnServer >$ iptables -t nat --list-rules:

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.254.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN

ovpnClient >$ iptables --list-rules:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N f2b-sshd
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -p tcp -m set --match-set minuteman dst,dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m set --match-set minuteman dst,dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION -j RETURN
-A f2b-sshd -j RETURN

ovpnClient >$ iptables -t nat --list-rules:

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.254.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN

Can you make a list of what you need in the end without question marks (and without *not* word - it's not clear what do you mean by them)... And do you have DHCP server on the network 1 & 2? You'll need it to send the routes to computers — Anubioz, Sep 11 '16 at 15:56
I need my openvpn server be able to established connections with any of my client's side computers. I do not understand why it is not possible if my server's side computers can talk to client's side computer. I do not have DHCP, but I have gateways sets to route to other side subnet via their openvpn node. — TongTwist, Sep 11 '16 at 16:00
And can you please add some example ip subnets to make your question clearer. Like gw.A = 192.168.10.1, devA1=192.168.10.0/24, OpenVPNServer=192.168.10.100|10.10.0.1, OpenVPNClient=10.10.0.6|192.168.20.100, devB1=192.168.20.0/24, gwB=192.168.20.1 — Anubioz, Sep 11 '16 at 16:01
It's not possible to talk each other because they don't have routes they need to establish connection. You can set them either by using DHCP on gateways, or manually for each pc in both networks (openvpnserver & client have routes set automatically, but other PC-s don't) ... I'll give you commands as soon as you will provide example IPs — Anubioz, Sep 11 '16 at 16:03
gw.A=192.168.100.1/24 ; devA1=192.168.100.100/24 ; ovpnServer={eth0=192.168.100.2/24;tun0=10.8.0.1/24} ; gw.B=192.168.101.1/24 ; devB1=192.168.101.100 ; ovpnClient={eth0=192.168.101.2;tun0=10.8.0.4} — TongTwist, Sep 11 '16 at 16:05
ok, now give me a moment, the routes should look like matroska in the end :) — Anubioz, Sep 11 '16 at 16:06
I want to precise that everybody are able to talk to each others. I already have routes in my gateways, port forwarding ... Only the openvpn server has a restriction: I need to precise the use of eth0 interface to make things works. If I dont precise it, openvpn server can not talk to client's side computers — TongTwist, Sep 11 '16 at 16:17

Anubioz · Answer 1 · 2016-09-11T23:40:56.830

0

So you need to set the following set of routes & allow forwarding on both OpenVPNs:

On OpenVPNServer:

ip route add 192.168.101.0/24 via 10.8.0.4
iptables -t nat -I POSTROUTING -o tun0  -j MASQUERADE
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

On OpenVPNClient:

ip route add 192.168.100.0/24 via 10.8.0.1
iptables -t nat -A POSTROUTING -o tun0  -j MASQUERADE
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

On gwA:

ip route add 192.168.101.0/24 via 192.168.100.2

On gwB:

ip route add 192.168.100.0/24 via 192.168.101.2

And make sure you got the following lines in the OpenVPNServer configuration file (server.conf):

route add 192.168.101.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"
iroute 192.168.101.0 255.255.255.0
client-to-client

edited Sep 11 '16 at 23:40

answered Sep 11 '16 at 16:15

Anubioz

3,677
18
23

My problem remains. How does my server is not able to make connections for itself but in the same time it is able to route everything else? – TongTwist Sep 11 '16 at 16:44
@TongTwist It's an iptables issue for sure, can you post `iptables --list-rules && iptables -t nat --list-rules` for ovpnClient & ovpnServer please? – Anubioz Sep 11 '16 at 16:48
I just update my questions by adding my iptables rules – TongTwist Sep 11 '16 at 17:01
There are *several* iptables modes, each of them is important. So please add `iptables -t nat --list-rules` too - it's a different command... – Anubioz Sep 11 '16 at 17:07
OK done. I did it but mixed normal and nat rules. Sorry. – TongTwist Sep 11 '16 at 17:11
So are your interfaces called docker0 & tun0? You should have used `docker0` instead of `eth0` in those rules i had posted - like `iptables -A FORWARD -i tun0 -o docker0 -j ACCEPT` ... – Anubioz Sep 11 '16 at 17:19
docker0 are my bridge interface for Docker. I do not try to make connections between dockerized app and client's side PC. I just need, for example, to ping client's side PC from my ovpnServer "as this" (i.e without precising any interface to the ping command) docker0 are never involved – TongTwist Sep 11 '16 at 17:23
Can you execute `iptables -D FORWARD -j DOCKER-ISOLATION` `iptables -D FORWARD -o docker0 -j DOCKER` `iptables -D FORWARD -p tcp -m set --match-set minuteman dst,dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable` & `iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER` please? Or simply delete all rules which has `RETURN` in them... – Anubioz Sep 11 '16 at 17:44
Done. No differences – TongTwist Sep 11 '16 at 17:51
Ok, there is yet another option, directly supported by OpenVPN - iroute [1](https://www.ossramblings.com/openvpn_route_both_ways) [2](https://community.openvpn.net/openvpn/wiki/RoutedLans). Added to answer... – Anubioz Sep 11 '16 at 23:41

Openvpn server route traffic for everybody except for himself?

1 Answers1