1

I want to access each client of an OpenVPN server over SSH from the server itself.

I don't want to enable the client-to-client setting since I don't want each client to talk to each other. I also don't want to access machines on subnets of the clients themselves, just the actual machines.

I was a able to set up a tunnel and I can ssh from a client to the server but cannot do the opposite.

  • IP of the server over VPN: 10.4.0.1

From ipp.txt:

  • IP of the client A over VPN: 10.4.0.4
  • IP of the client B over VPN: 10.4.0.8

Server config:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh /etc/openvpn/rsa/keys/dh2048.pem
server 10.4.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.31.0.0 255.255.0.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

/etc/sysconfig/iptables of the server:

*nat
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.4.0.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE
COMMIT

client.conf

client
remote <serverIP> 1194
proto udp
dev tun
persist-key
persist-tun
cipher AES-256-CBC
remote-cert-tls server
resolv-retry infinite
nobind
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>

In the configs: ipv4.ip_forward = 1

from B: ssh user@10.4.0.1 works from server: ssh user@10.4.0.8 doesn't

I tried telnet on port 22 and it fails. Machine A is on Ubuntu, Machine B is on OS X, Server is on AWS EC2.

Let me know if you need any other information.

Edit: Solved Simply adding topology subnet to both config files did the trick!

Pico
  • 113
  • 3
  • Are you sure you are connecting to the right IP? I am not sure the address you see in the IPP is the actual address use don the client. You seem to be in net_30 topology where addressing is a bit weird. You might want to consider switching to `topology subnet`, which is better unless you are supporting ancient clients. – Zoredache May 11 '17 at 20:27
  • @Zoredache I'll check that out right away and get back to you. – Pico May 11 '17 at 20:29
  • @Zoredache that fixed the issue! I spent so much time on this.. Thank you for your help – Pico May 11 '17 at 20:34
  • Ok, I added that as an answer with a bit more detail. – Zoredache May 11 '17 at 20:45

1 Answers1

0

Are you sure you are connecting to the right IP? I am not sure the address you see in the IPP is the actual address use don the client. You seem to be in net_30 topology where addressing is a bit weird. In this topology a /30 subnet is created for each client, and a point-to-point link is created. So your address of 10.4.0.4 in the ipp file was really the network address of the assigned /30 subnet. You probably would have been able to ping and connect to 10.4.0.6 to connect to the system that reported 10.4.0.4 in the ipp file.

But ignoring all that net_30 weirdness, the easiest solution that you should consider would be to switch to topology subnet, which is best mode unless you are supporting ancient clients. It acts more or less like any other network you would normally use where one address is assigned to each client, and they all have the same mask.

Zoredache
  • 130,897
  • 41
  • 276
  • 420