I have set up an OpenVPN server and I can connect to it from various clients. I can also access resources in my local LAN (192.168.2.xxx). However, once a clients is connect to my VPN server, it cannot access the internet.
Here are my configs:
local 192.168.2.105
dev tun
proto tcp
port 4567
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/raspberrypi.crt
key /etc/openvpn/easy-rsa/keys/raspberrypi.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.2.1"
log-append /var/log/openvpn/openvpn.log
persist-key
persist-tun
group nogroup
user nobody
status /var/log/openvpn/openvpn-status.log 20
verb 4
client-to-client
comp-lzo
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
and for the clients:
client
dev tun
proto tcp
remote xxxxx 4567
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 3
mute 20
I suspect the problem is that when I connect to my VPN server from a different WIFI or via a mobile connection, my clients get ip addresses from other subnets, e.g. 192.168.1.0/24 or 10.0.0.0/8.
I get the following error:
MULTI: bad source address from client [xxx.xxx.xxx.xxx], packet dropped
I have seen solutions that suggest creating a client-config file and setting an iroute option. However, I am not sure whether this solution is still valid for the latest version of openVPN.
I should be able to configure my VPN server in such a way that it allows clients from certain subnets to access the internet. I guess, 192.168.1.0/24 and 10.0.0.0/8 should be sufficient.
Best Answer
The way I did it:
And: