0

All users can connect to host where OpenVPN runs but some users can jump to other hosts in the LAN. For example, foo user can reach host 10.2.0.1/32 (where OpenVPN runs) and hosts at 10.0.0.0/24 but bar user can reach only the host 10.2.0.1/32.

For both users, the route table is the same

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    302    0        0 wlan0
10.1.0.0        10.2.0.5        255.255.255.128 UG    0      0        0 tun0
10.2.0.1        10.2.0.5        255.255.255.255 UGH   0      0        0 tun0
10.2.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0

For generating the client's key I run

cd /usr/share/easy-rsa/2.0
source vars
./build-key --batch foo

The /etc/openvpn/server.conf file has

; server
mode       server
port       1194
proto      udp
dev        tun
keepalive  10 120


; networking
server     10.2.0.0 255.255.255.0
ifconfig   10.2.0.1 255.255.255.0
push       "route 10.1.0.0 255.255.255.128"
ifconfig-pool-persist ipp.txt

The server is a CentOS 7 (x86_64) running OpenVPN 2.3.11 and Easy RSA 2.2.2.

facundobianco
  • 1
  • 2
  • 1
    What is the question? – rda Dec 27 '16 at 08:37
  • Why can some users connect and others not? – facundobianco Dec 27 '16 at 19:07
  • I think it has nothing to do with your vpn configuration. Also no route to `10.0.0.0/24 ` is in the routing table. So the hosts must be somehow reachable via the default gateway. Maybe `traceroute` or `ip route get ` helps. – rda Dec 27 '16 at 20:21
  • I just discovered this issue appears when tun0's IP is greater that 10.2.0.28/30. I think I should configure manually the IP assignment in CCD (Client Configuration Directory). – facundobianco Jan 04 '17 at 22:20

1 Answers1

0

My bad: the issue was a post-routing rule in IPTables, it was

-A POSTROUTING -s 10.2.0.0/27 -o eno1 -j MASQUERADE

And it should be

-A POSTROUTING -s 10.2.0.0/24 -o eno1 -j MASQUERADE

facundobianco
  • 1
  • 2