Openvpn – Communicating between private IP addresses on two separate networks through OpenVPN

client-serveropenvpnvpn

I'm connecting two networks (Clients A and B) together using OpenVPN. Let's say Client A is behind a NAT with IP addresses 192.168.20.x and Client B is behind a NAT with IP Addresses 172.16.1.x. Is there a way I can configure my setup such that the clients can communicate with machines inside each other's subnets through an OpenVPN server (10.8.0.1, 255.255.255.0)?

For example, if Client A's internal IP is 192.168.20.50 and Client B is 172.16.1.50, is there any way that Client A can ping or tracert to Client B successfully using its private IP address?

Best Answer

Yes, it is possible.

Each end of the tunnel must have interfaces in respective end's private networks. That is, for example 10.8.0.1 must have an address in 192.168.20.0/24 network and 10.8.0.2 must have an address in 172.16.1.0/24 network (I guessed the netmasks for the networks just for example, your setup might be different).

Then, you need to enable proper routing on the devices.

For clients in 192.168.20.0/24 network, they need to have a route in their routing table that tells them to route packets to 172.16.1.0/24 via 192.168.20.x, where x is the octet corresponding to the other interface of the 10.8.0.1 server.

Then, the server at 10.8.0.1 has to have a routing table entry which tells that packets to 172.16.1.0/24 network have to be sent via 10.8.0.2, that is, the other end of the tunnel.

Then you need to have corresponding rules for the other end of the tunnel, swapping network addresses.

Easiest way to implement this is to run the OpenVPN server / client on the router for that network. Then one doesn't need to add the routing rules for each client, since the routing is handled by the default gateway. In this case, one only need the routing rule at the OpenVPN server / client.

If OpenVPN server / client is a different machine than the default router, then one needs to distribute the network routes to the clients. One way to do this is via DHCP. One method is described in How can I configure my DHCP server to distribute IP routes?.

Related Solutions

Debian – Connecting two networks together with OpenVPN

In order for machines on different networks to successfully talk to each other, both ends need to know how to route traffic to the other end. Normally, this is easily done on a simple enduser LAN because there's usually only two destinations: "the local network" and "everywhere else". Traffic to the local network is just sent directly to the destination, while traffic to everywhere else is sent to the default gateway ("router") and it handles it (by passing it to your upstream ISP, which has far more knowledge about where to send traffic to the many destinations that make up the Internet).

By placing a VPN into the mix, you're complicating things somewhat. By making the VPN endpoints machines within a LAN, rather than making the default gateways the endpoints, you're complicating things greatly.

What you need to do is add routes to allow traffic to go to the right places. You can either do this on every machine in both LANs, or just add it to the default gateway. The latter is far easier, but slightly less efficient (traffic will have an extra "hop", going via the gateway, which shouldn't be a major inconvenience in most cases).

Without knowing what your gateways actually are, I can't tell you how to configure them, but the routes basically need to be:

On gateway for 172.16.130.0/24:
- Route all traffic destined for 172.16.120.0/24 via 172.16.130.2
On gateway for 172.16.120.0/24:
- Route all traffic destined for 172.16.130.0/24 via 172.16.120.2

There's also all sorts of firewalling stuff you might have to do, both on the gateways and the VPN endpoints, and you might have to turn on IP forwarding on the endpoints, but it's all fairly straightforward network configuration stuff.

And next time: just put the VPN endpoints on the default gateway. It's so much easier.

Firewall – Openvpn routing for lan to lan through tun

OP posted the answer on forums.openvpn.net

Use this server config:

port 1194
proto udp
dev tun

topology subnet
mode server
tls-server

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # flexo_client,10.8.0.4

client-config-dir ccd
client-to-client

#ifconfig 10.8.0.1 255.255.255.0
route 192.168.3.0 255.255.255.0 10.8.0.4
route 192.168.4.0 255.255.255.0 10.8.0.4

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mom_server.crt
key /etc/openvpn/keys/mom_server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

keepalive 10 120i

comp-lzo

user nobody
chroot /etc/openvpn
group nogroup
daemon

persist-key
persist-tun

status openvpn-status.log

verb 3

With this /etc/openvpn/ccd/flexo_client

push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.3.0 255.255.255.0
iroute 192.168.4.0 255.255.255.0

and this client config:

config openvpn 'flexo_client'
   option nobind '1'
   option float '1'
   option client '1'
   option comp_lzo '1'
   option dev 'tun0'
   option verb '3'
   option persist_tun '1'
   option persist_key '1'
   option remote_cert_tls 'server'
   option remote 'x.x.x.x'
   option proto 'udp'
   option resolv_retry 'infinite'
   option ca '/etc/openvpn/ca.crt'
   option cert '/etc/openvpn/flexo_client.crt'
   option key '/etc/openvpn/flexo_client.key'
   option ns_cert_type 'server'
   option topology 'subnet'
   option enable '1'

More information on using OpenVPN and iroute can be found on backreference.org

Best Answer

Related Solutions

Debian – Connecting two networks together with OpenVPN

Firewall – Openvpn routing for lan to lan through tun

Related Topic