Openvpn – Route packets from one VPN to another

networkingopenvpnroutingtunvpn

I have two OpenVPN servers (10.8.0.0 and 10.9.0.0) set up on my OpenSUSE server. Within one network, each computer is visible to any other one, but I'd like to make it so that computers are visible across networks. I'd like to route the packets like this: when a user (say 10.8.0.6) pings an address on the other VPN (10.9.0.6), the packets are routed to the 10.9.0.1 and then to the appropriate computer in this VPN. How do I achieve this using iptables or a different tool? I tried the commands at the end of this section with no avail.

Best Answer

The DD-WRT project has some OpenVPN examples on its wiki that has a sample configuration that should do exactly what you want in the Advanced Configuration: Multiple routed networks section.

The key parts that you'll want to keep in mind are in this excerpt:

Since both will be connecting to the same server, you cannot use the same port number for both clients, so we will be giving port 1999 for the first client and 2000 for the second client. Also, we need to tell Client1 how to reach Client2's subnet and vice-versa. This means including a second routing entry in our configuration.

What you'll most likely need to add to your existing configuration is the following:

OpenVPN config for Clients on 10.8.0.0

port 2000
# Create routes
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1
route add -net 10.9.0.0 netmask 255.255.255.0 gw 10.8.0.1

iptables config for Clients on 10.8.0.0

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

OpenVPN config for Clients on 10.9.0.0

port 1999
# Create routes
route add -net 10.9.0.0 netmask 255.255.255.0 gw 10.9.0.1
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.9.0.1

iptables config for Clients on 10.9.0.0

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 1999 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

OpenVPN config for Server

# Create routes
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.6
route add -net 10.9.0.0 netmask 255.255.255.0 gw 10.9.0.6

iptables config for Server

# Open firewall holes for Client1
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

# Open firewall holes for Client2
iptables -I INPUT 2 -p udp --dport 1999 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

# Allow Forwarding packets between Client1 and Client2
iptables -I FORWARD -i tun0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o tun0 -j ACCEPT

Note that these instructions are for setting up Ethernet Routing which is easier to set up and probably what you want for your case. You should, however, review the differences between bridging and routing, and the overview on how to set up Ethernet Bridging if you think you need the features that bridging gives you.

Best Answer

Related Solutions

How to Avoid Network Conflict with VPN Internal Networks

Openvpn – Route IP to OpenVPN client

Related Topic