openVPN: how to establish a connection between clients?

Question

This weekend I was working on a VPN connection between my two raspberry Pi (B and the new model 2). I chose openVPN for it. Both running Raspbian Wheezy.

So my setup is as follows:

|B| is at home connected to the internet (DSL, static IP). The other Pi |2| I'm carrying with me. It's connected to the internet via a UMTS Router. That's works unexpectedly well :) At home on the |B| I got a server running and the |2| logs into it without any problems.

My question for you guys is: How do I connect from my local network (same as PI |B|), say from my iPhone, to the |2| which has already a connection opened to the |B|?

I configured my server like this:

dev tun
proto udp
port 34345
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1 bypass-dhcp"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo
duplicate-cn
keepalive 10 120

and that's my client config:

dev tun
client
proto udp
remote {myIP} 34345 #same port as on the server
resolv-retry infinite
nobind
persist-key
persist-tun
ca /home/pi/vpn/ca.crt
cert /home/pi/vpn/raspi.crt
key /home/pi/vpn/raspi.key
comp-lzo
verb 3

As I said, the connection works well and if I issue "curl www.echoip.net/plain" from within the console on the new raspberry I get my static IP address back. So I guess in general it works.

I already tried to access 10.8.0.* but this didn't work and I can't think of why?

Any ideas?

Thanks in advance, Felix

EDITED AGAIN:

the server log says after successful authentification the following when the raspi connects:

Tue Mar  3 18:59:00 2015 2.240.44.246:26966 [raspi] Peer Connection Initiated with [AF_INET]2.240.44.246:26966
Tue Mar  3 18:59:00 2015 raspi/2.240.44.246:26966 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=e8b6:d1be:808e:f8b6:34bb:fdb6:4405:79b8
Tue Mar  3 18:59:00 2015 raspi/2.240.44.246:26966 MULTI: Learn: 10.8.0.6 -> raspi/2.240.44.246:26966
Tue Mar  3 18:59:00 2015 raspi/2.240.44.246:26966 MULTI: primary virtual IP for raspi/2.240.44.246:26966: 10.8.0.6
Tue Mar  3 18:59:02 2015 raspi/2.240.44.246:26966 PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar  3 18:59:02 2015 raspi/2.240.44.246:26966 send_push_reply(): safe_cap=960
Tue Mar  3 18:59:02 2015 raspi/2.240.44.246:26966 SENT CONTROL [raspi]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

the output running on the client RPi 2 looks like this (again, after a successful authentication):

Tue Mar  3 18:59:00 2015 [server] Peer Connection Initiated with [AF_INET]2.240.44.246:34345
Tue Mar  3 18:59:02 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar  3 18:59:02 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Mar  3 18:59:02 2015 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar  3 18:59:02 2015 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar  3 18:59:02 2015 OPTIONS IMPORT: route options modified
Tue Mar  3 18:59:02 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar  3 18:59:02 2015 ROUTE default_gateway=192.168.2.201
Tue Mar  3 18:59:02 2015 TUN/TAP device tun0 opened
Tue Mar  3 18:59:02 2015 TUN/TAP TX queue length set to 100
Tue Mar  3 18:59:02 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Mar  3 18:59:02 2015 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Tue Mar  3 18:59:02 2015 /sbin/route add -net 2.240.44.246 netmask 255.255.255.255 gw 192.168.2.201
Tue Mar  3 18:59:02 2015 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Mar  3 18:59:02 2015 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Mar  3 18:59:02 2015 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
Tue Mar  3 18:59:02 2015 Initialization Sequence Completed

ifconfig returns on server side additionally to lo and eth0:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1907 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1820 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:245870 (240.1 KiB)  TX bytes:1046186 (1021.6 KiB)

on the client side it looks like this:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.10  P-t-P:10.8.0.9  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:76 (76.0 B)  TX bytes:380 (380.0 B)

Here is an image of the structure: https://i.stack.imgur.com/z9QUs.jpg

what does the openvpn log show when you try to connect from RPi B to RPi 2 server? — Arshan, Mar 03 '15 at 06:22
just to make sure. the server is the old model B and the client therefore the new RPi 2. I edited the question accordingly. thanks — FlixMa, Mar 03 '15 at 06:46
log shows that the connection is initiated with iphone. Same messages you get when you connect RPi as client? And what error you get on iphone? — Arshan, Mar 03 '15 at 07:41
I don't get any errors. That's not my problem. The connection works fine but I don't know what IP address I should enter to ssh into the client Pi using the iPhone for example being in the local net in which the server is located as well (iPhone: 192.168.2.239; Server Pi: 192.168.2.236) The log for the RPi is exactly the same. It just uses another client certificate. I try to improve my question when I'm back home this evening. — FlixMa, Mar 03 '15 at 08:21
So I finally managed it to add the client and server output. this time using the raspi as client(I was quite in a hurry this morning, thats why i used my phone first.). — FlixMa, Mar 03 '15 at 18:32

score 0 · Accepted Answer · answered Mar 04 '15 at 06:14

0

In order to access your RPi |2| client from other VPN clients (in your case its iphone), you must know the IP address of the RPi |2| client. In your current scenario, dynamic IP address is assigned to the RPi |2| client each time it establishes new connection with server.

To solve this issue, static IP address must be used for the RPi |2| client. Procedure for setting static IP address of a particular client can be found here.

answered Mar 04 '15 at 06:14

Arshan

736
6
19

so I read the linked page, but does this realy fix my problem? It just prevents that my pi is getting different ip addresses each time it will log onto the openvpn server. In general I just need to know which ip-address I should enter, if I want to connect to the raspi |2| (doesnt matter if its dynamic. I can read the log for the first simple tests.). – FlixMa Mar 04 '15 at 18:30
I added an image to the question. Could you tell me how to connect from my PC or iPhone (doesn't matter; same network) via the tunnel to the raspberry Pi 2? Or can I at least jump via ssh to my server Pi and from there again to raspi 2? – FlixMa Mar 04 '15 at 20:36
I posted this answer because the server config your posted shows the 'client-to-client' option, which allows the traffic between VPN clients. It means that only thing you need is clients IPs. As shown in the link that I posted, the IP of the Pi 2 can be fixed, so you can ssh the Pi 2 using iphone. Is your iphone able to ping Pi 2 when both are connected as VPN clients? – Arshan Mar 05 '15 at 12:52
thanks, your approach worked perfectly :) I didnt know that i have to be on the vpn net with the other client as well. Now everythings works as it should ! – FlixMa Mar 05 '15 at 20:21
Thanks, I would suggest you to change the title of this post to something like "OpenVPN: How to connect clients with each other?" or so. So that others can have benefit from this post. – Arshan Mar 06 '15 at 09:58

openVPN: how to establish a connection between clients?

1 Answers1