0

Goal: Make 192.168.2.* Accessible from 192.168.0.*

Situation: I have a remote site (Network B) with an OpenVPN server built into the router. On my end I have a network (Network A) with a VPN client connected to the remote site (Network B). The host with the VPN Client can ping all systems in both networks.

Question: How can I get hosts on Network A to communicate with hosts on Network B by first routing them through the host with the VPN client? Note:I don't want them to each have their own VPN client.

Here is a diagram I created to make it more clear: https://networkengineering.stackexchange.com/questions/59630/using-vpn-make-192-168-2-accessible-from-192-168-0

I tried the following:

On each machine in 192.168.0.* (Network A) a default gateway will be added as shown below.

$ route add default gw 192.168.0.3

In GATEWAY (This has my VPN client), add the following routing entry.

$ route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.47

At this point I hoped the machines in Network A could ping Network B, but they are unable to.

etho201
  • 101
  • 2

2 Answers2

0

you could route all the trafic except the internet one from site B with a site to site openVPN the site to site vpn will add the default route for 192.168.0.0/24 network and the default route will be added to your gateway routing table so that each host are effectively routed through the correct gateway.

we tried it on a network with two pfsense vm (ver 2.4.4) and it was doing well. the site A was a server and the Site B was the client for the site-to site connexion ! the site B was routing all trafic through the VPN but we switched it back to route all http/https traffic to each wan of both site.

belgiandude
  • 1
  • 2
0

I figured it out. I had to configure the iptables on the VPN client to act as a NAT with the MASQUERADE option, then I needed to add the VPN client's IP address on the respective interface as the default gateway on each system within that network.

Allow machines on the internal network (Network A) to communicate out to the external network (Network B)

You need to configure iptables to forward the packets from your internal network on eth1 (backend), to your external network on tun0 (remote).

  1. On the machine running the VPN client
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
  1. On each machine within your internal network
route add default gw 192.168.0.3
  1. Now the machines on Network A can ping/communicate with Network B.

Allow machines on the external network to communicate with your internal network

You need to configure iptables to forward the packets from your external network (Network B) on tun0 (remote), to your internal network (Network A) on eth1 (backend).

  1. On the machine running the VPN client
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -A FORWARD -i eth1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT
  1. On each remote machine
route add default gw 192.168.2.47
  1. Now the machines on Network B can ping/communicate with Network A.
etho201
  • 101
  • 2