Linux – How to create routes for an OpenVPN tunnel

google-cloud-platformlinuxopenvpnroutingwindows

I have three instances created in google cloud platform, one of them hosts a linux system and the other a windows 2012 r2 server, I have already created the vpn tunnel between my client and my linux instance, the question here is what is it I have to do to be able to connect via RDP to my windows servers, the ip addresses of the instances are as follows:

Instance with OpenVpn installed:

Internal network interface, eth0: 10.128.0.3
Openvpn interface, tun0 10.8.0.1
Ip publishes 104.154.145.xxx

Windows server instance:

Internal network interface, eth0: 10.128.0.2
Ip publishes 35.184.137.xxx

Windows server instance:

Internal network interface, eth0: 10.128.0.3
Ip publishes 35.184.137.xxx

When I connect as a client, the OpenVpn service gives me ip: 10.8.0.6.

I'd like to connect to the Windows servers by RDP.

I believe it is related to some routing issue but I'm not sure, can you please assist?

Best Answer

I read all communications with Itai. Along with configuring routing in OpenVPN configuration file and Windows machine, you should enable forwarding on your Linux machine, to enable it, just add net.ipv4.ip_forward=1 to /etc/sysctl.conf and execute sysctl -p. After this you should add iptables rule by command iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE. It should be enough.

Don't forget to save iptables configuration by command service iptables save.

Related Solutions

Openvpn – HowTo access Samba Share over VPN Tunnel

Probably you need to allow access to your samba server from the ip class of your vpn. You need to find (or insert) the following line in your /etc/samba/smb.conf file

interfaces = 127.0.0.0/8 10.8.0.0/24

Don't forget to add every ip class that should have access to the shares.

Then reload your samba server

sudo service smbd reload
sudo service nmbd reload

OpenVPN – Configure Multiple Clients on the Same Host

You would need to elaborate somewhat further what it is you are trying to do. A rough sketch with IP addresses of the hosts involved and a listing of your routing table(s) would help a lot understanding your problem.

my server doesn't seem to configure the tun0 device properly

It is possible for an ifconfig command to fail - maybe you should check the logs for that and post the relevant excerpts.

I want to set up the dual client box such that a computer whose gateway is set to eth0:0 gets all their traffic routed through one OpenVPN tunnel, and a computer whose gateway is set to eth0:1 gets all their traffic routed through a different OpenVPN tunnel

ip rule add from $IP_ETH00 table us_table

That's probably not the best way to achieve what you really want - which seems to be different routes for different clients. While it is possible to add iptables -t mangle rules to mark packets for different criteria, there would be no set of criteria being able to distinguish between eth0:0 and eth0:1 as the input interface (which is due to the way IP aliasing is implemented).

What you can do however is simply set up something like

ip rule add from <ip-of-your-client-for-the-us-table> table us_table

which would eliminate the need for IP aliases in your configuration entirely since the routing decision would be done based on source and destination IP addresses, no matter which interface the packet came in at.

copy_routing_table "us_table"

You've omitted the source of copy_routing_table - if it does what I suspect it does, you would end up with your entire main routing table in us_table. If your main routing table already contains routes potentially conflicting with what you're defining in the script, you might end up using them instead of your newly-added routes. This is especially a concern since you are adding a new default route in your up-script:

 ip route add default via $4 table us_table

As you already have a default route in your "main" table and add another one "via $4" (which is wrong BTW, as $4 would represent a local IP address of the router's own tun interface - you should use "dev $1" instead) without deleting the old route. You should prepend ip route del default table us_table here - and probably something similar for the other routes you add as well.

And this here:

From 192.168.1.133: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.1)

is a message from 192.168.1.133 which is getting the packet for 98.137.149.56 (yahoo.com) and routing it out through 192.168.1.1. Since 192.168.1.133 knows (by evaluation of the interface netmask) that your host is in the same network as 192.168.1.1, you get notified to use 192.168.1.1 directly in the first place.

Best Answer

Related Solutions

Openvpn – HowTo access Samba Share over VPN Tunnel

OpenVPN – Configure Multiple Clients on the Same Host

Related Topic