Openvpn – Issue with site to site OpenVPN

openvpnroutingsite-to-site-vpnvpn

So my end goal is to utilise OpenVPN to connect to a remote IP camera. The reason I am going down the route of OpenVPN is to try and overcome the carrier grade NAT that prevents me from doing port forwarding and having a static IP without paying $$$ every month for the privilege.

So below is what the topology looks like, now I can ping devices on Site A LAN (192.168.1.0) from both Site B and C so that's good and proves the VPN is working.

But I cannot ping the IP camera which is situated on Site B (192.168.2.0) from either Site A or from Site B which is my end goal.

I'm still not a 100% sure that my config is correct or if I am missing something.

net.ipv4.ip_forward=1 is enabled on both the OpenVPN server (Debian 8) and the Raspberry Pi.

The other thing I was considering is do I need to set the IP cameras default gateway to be that of the IP of the Raspberry Pi ?

Topology :

enter image description here

Server Config

port 1194
proto udp
dev tun
topology subnet
mode server
tls-server
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
client-config-dir ccd
client-to-client
route 192.168.2.0 255.255.255.0 10.8.0.3
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
keepalive 10 120
comp-lzo
user nobody
group nogroup
daemon
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3

/etc/openvpn/ccd/flexo_client

push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.2.0 255.255.255.0[/oconf]

client config

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
topology subnet
ca - XML
cert - XML
key -XML
tls-auth - XML

Routing table on OpenVPN server – Site A

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use   Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.2.0     10.8.0.3        255.255.255.0   UG    0      0        0 tun0

Raspberry Pi routing table – Site B

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use      Iface
0.0.0.0         192.168.2.1     0.0.0.0         UG    303    0        0 wlan0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.2.0     0.0.0.0         255.255.255.0   U     303    0        0 wlan0

EDIT:

Static routes on router (192.168.1.254) – Site A

Destination     Gateway         Genmask
192.168.2.0     192.168.1.143   255.255.255.0
10.8.0.0        192.168.1.143   255.255.255.0

Best Answer

The other thing I was considering is do I need to set the IP cameras default gateway to be that of the IP of the Raspberry Pi?

YES. Only Raspberry Pi knows where to send traffic targeted to VPN.

Another option is iptables setup with SNAT/MASQUERADE on Raspberry Pi so every connection from VPN network will have source IP set to Raspberry Pi IP.

Related Topic