Various resources are on the below LAN, one of which is Linux openVPN server. For complicated reasons, I have to run 2 openVPN server instances, VPN1 and VPN2. VPN1 works great, hands out 10.8.0.x tun0 IP's to connecting clients. Clients are then able to access any resources on 192.168.44.x LAN, all is well.
VPN2 is setup using ifconfig, not server directive. This is because i have to manually enter tap-win32 tcp/ip static IP on VPN2's client (for reasons not explained).
After I start VPN2, I see 'TUN/TAP device tun1 opened' in log, but sudo ifconfig does not display tun1, only tun0…why?
Client is able to connect to VPN2 successfully, but not able to access any resources on 192.168.44.x LAN? I setup static route on LAN router for VPN2, (just as I did for VPN1) between 10.9.1.x and 192.168.44.x so this isn't the prob.
I have ip_forwarding enabled on openVPN server, i have 1194-1195 ufw firewall open on openVPN server.
any help would be great!
LAN (192.168.44.x)
|
|
Linux openVPN Server (192.168.44.90)
| |
| |
VPN1 VPN2
10.8.0.x 10.9.1.x
VPN1.conf
port 1194
proto udp
dev tun0
ca keys/VPN1ca/ca.crt
cert keys/VPN1ca/serverkey.crt
key keys/VPN1ca/serverkey.key
dh keys/VPN1ca/dh1024.pem
server 10.8.0.0 255.255.255.0
crl-verify keys/VPN1ca/crl.pem
ifconfig-pool-persist servers/VPN1/logs/ipp.txt
tls-auth servers/VPN1/ta.key 0
cipher BF-CBC
user nobody
group nogroup
status servers/VPN1/logs/openvpn-status.log
log-append servers/VPN1/logs/openvpn.log
verb 2
mute 20
max-clients 5
keepalive 10 120
client-config-dir /etc/openvpn/servers/VPN1/ccd
tls-server
comp-lzo
persist-key
persist-tun
ccd-exclusive
push "route 192.168.44.0 255.255.255.0"
VPN2.conf
port 1195
proto udp
dev tun1
ca keys/VPN2ca/ca.crt
cert keys/VPN2ca/sv_serverkey.crt
key keys/VPN2ca/sv_serverkey.key
dh keys/VPN2ca/dh2048.pem
crl-verify keys/VPN2ca/crl.pem
tls-auth servers/VPN2/ta.key 0
cipher BF-CBC
user nobody
group nogroup
status servers/VPN2/logs/openvpn-status.log
log-append servers/VPN2/logs/openvpn.log
verb 2
mute 20
max-clients 2
keepalive 10 120
tls-server
comp-lzo
persist-key
persist-tun
push "route 192.168.44.0 255.255.255.0"
ifconfig 10.9.1.5 10.9.1.6
#ifconfig-noexec <--this needed to be removed
VPN2client.ovpn
client
proto udp
dev tun1
ca ca.crt
dh dh2048.pem
cert VPN2client.crt
key VPN2client.key
remote x.x.x.x 1195
tls-auth ta.key 1
cipher BF-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
ifconfig 10.9.1.6 10.9.1.5
ifconfig-noexec
edit:
ifconfig -a:
shows eth0, lo & tun0, tun1:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:37 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4345 (4.3 KB) TX bytes:5019 (5.0 KB)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:500 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:125909 (125.9 KB) TX bytes:0 (0.0 B)
edit2:
OK. above problem fixed by removing ifconfig-noexec.
Next problem…mapping to printer on 10.9.1.x VPNclient from 192.168.44.x LAN. The VPNclient is connected using openVPN-GUI. Sometimes \10.9.1.x\printer works, othertimes not, anyone deal with this before?
thanks!
Best Answer
You will want to remove the ifconfig-noexec on the server. On the client, you should keep it since you're setting the IP of its tun interface separately.
On the server, the tun1 interface doesn't come up if you specify ifconfig-noexec (basically, the OS isn't running essentially
ifconfig tun1 10.9.1.5 up). So, nothing on the LAN will know how to route to the 10.9.1.6 machine that's the client IP.