Linux – Automatically setup routing after OpenVPN connection

iptableslinuxopenvpnroutingvpn

I'm using Debian 6 as my server, I have configured OpenVPN server there, and clients are connecting successfully using tap mode. This server is available from the internet, but It's also connected to internal network.

Local LAN: 192.168.3.0/24 – eth0 on OpenVPN server
OpenVPN clients: 192.168.199.0/24 – tap0 on OpenVPN server

It would be great if someone could give mi steps I have to follow to allow clients who connect to OpenVPN server to see and be able to connect to each machine within LAN where OpenVPN server is located (192.168.3.0/24 network).
It would be perfect if you could tell me how to setup this routing automatically after client connects.

Best Answer

If you really need a TAP-style connection, you would need to specify the server-bridge option without further parameters - this would enable bridging mode and OpenVPN pass on DHCP requests (DHCP proxy mode). You also would need to bridge your tun interface with whatever your LAN interface is using brctl:

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 tun0
ifconfig br0 inet 192.168.3.99 netmask 255.255.255.0

see the server-bridge option description in the OpenVPN documentation for details.

But honestly, you should rather route than bridge whenever possible - it allows for better debugging and less unnecessary network noise (broadcasts) transmitted through your VPN.

For this case, a config file containing the push "route 192.168.3.0 255.255.255.0" on the server and the accompanying client-style config file (specifying the client option) would do. Example:

local <your public IP address>
port <your OpenVPN port>
proto udp
dev tun0
# reduce MTU if necessary
# tun-mtu 1400

# place your cert/key/DH paths here
ca keys/ca.crt
cert keys/server.crt
key keys/private/server.key
dh keys/dhparm.pem

# OpenVPN client network
server 192.168.99.0 255.255.255.0

# push client route
push "route 192.168.3.0 255.255.255.0"

keepalive 10 60

status /var/log/openvpn-status.log

daemon

# logging options
verb 4
mute 20

See the documentation for details on option parameters.

Related Solutions

Linux – OpenVPN + iptables / NAT routing

Can you post the output of ip route show table main and ip route show table 200? I suspect you are missing a couple routes in your '200' table. Your '200' route table should have pretty much the same routes as the 'main' table the only difference being the default route.

I see that you updated, and I believe my original suggestion was correct. Notice how your main table has the 'scope link' route for both your local network and the vpn link? Those routes have to be added to the '200' table as well.

Try running these commands in addition to the other commands you use.

ip route add 192.168.2.0/24 dev tap0  proto kernel  scope link  src 192.168.2.4 table 200
ip route add 192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.101  metric 2 table 200
ip route flush cache

If you want to script the creation of these routes you can use this. It will copy all the 'scope link' routes from the main route table into your other table.

#!/bin/bash
IFACE=wlan0
RT=200
/sbin/ip route list scope link table main proto kernel dev ${IFACE} \
| while read ROUTE ; do
    # and add that route to all the tables mentioned in the rrtables option
    # in the interfaces file
    /sbin/ip route add table ${RT} scope link proto kernel dev ${IFACE} ${ROUTE}
done

Another update. I just noticed I missed something rather obvious earlier.

Your MASQ statement seems to be working on eth0. From the route tables you posted, your output device isn't eth0. Instead of this.

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

You probably should just use a statement like this.

iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

Openvpn ping to lan clients

you're doing it wrong.

1st - use layer 3 connections instead of layer 2 for vpn. Saves traffic.

2nd - use brouting to get the trick done with proxy-arp and assing ip addresses from the local subnet to the vpn clients - so they just appear as they're local

3rd - or use routing and set the route to the clients in the 10.22.8/24 subnet on all systems in the 192.168.1.0/network OR just use the vpn system as the default gateway to avoid routing problems...

Using brouting:

Enable proxy_arp on the linux router: echo 1 > /proc/sys/net/ipv4/conf/proxy_arp
Add the route of the subnet to eth0 if not happened automagically
Add the route of a subnet of the local subnet to the tun device from openvpn.

Lets say we're going to use the last 16 IP-addresses for the hosts on the vpn (192.168.1.240 - 192.168.1.255) that means we have a 28 bits subnet 192.168.1.240/28. Create the tun device static (openvpn --mktun) and then add the route for the vpn subnet to the device ip route add 192.168.1.240/28 dev tun0

After this, and after enabling ip forwarding and proxy arp the linux system will "broute" all requests from the local clients to the clients at the vpn end and vice versa.

And you have an layer 3 vpn (faster, less traffic) with layer 2 connectivity and fully transparent access to all systems.

Filtering and everything else can be done via iptables.

KR,

Gromit

Best Answer

Related Solutions

Linux – OpenVPN + iptables / NAT routing

Openvpn ping to lan clients

Related Topic