I'm new to OpenVPN and couldn't find any simmilar answer.
I have 3 Linux machines (Ubuntu 16.04):
A and S are in the same network. B are in a different network which is very restricted.
There is an OpenVPN server on machine S with "client-to-client" directive enabled.
A and B sees (ping, connect) each other and the server over the VPN as they are clients.
The question is: How can I enable the server to see (ping, connect) the clients over the VPN?
The routes seems ok, but I get connection timeout.
I need every machine to see (ping, connect) each other unrestricted in my VPN including the server.
All three machines have access to internet separately they must only see (ping, connect) each other over the VPN no need for LAN forwarding.
I used https://github.com/Nyr/openvpn-install script to install. With the additional "client-to-client" flag in the server.conf.
UPDATE: tcpdump
shows that the server uses the "real network" through the default route to access the VPN-IP. Maybe some routing problem on the server?
My current configs (half-working as stated above) derived from kal3v's post:
server:
tls-server
tls-auth ta.key 0 # This has to be added, or does not connects
proto tcp
port 443
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 20
client:
client
tls-client # This has to be added, or does not connects
dev tun
proto tcp-client
remote [SERVER IP REDACTED] 443
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
nobind
persist-key
persist-tun
comp-lzo
tls-auth ta.key 1 # This has to be added, or does not connects
#status openvpn-status.log
#log-append /var/log/openvpn.log
verb 4
mute 20
<ca>
[REDACTED]
</ca>
<cert>
[REDACTED]
</cert>
<key>
[REDACTED]
</key>
<tls-auth>
[REDACTED]
</tls-auth>
Server ifconfig -a:
em1 Link encap:Ethernet HWaddr [REDACTED]
inet addr:[REDACTED] Bcast:[REDACTED] Mask:[REDACTED]
inet6 addr: [REDACTED] Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2399844 errors:0 dropped:0 overruns:0 frame:0
TX packets:530948 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:719766790 (719.7 MB) TX bytes:435347738 (435.3 MB)
Interrupt:20 Memory:f7200000-f7220000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:98881 errors:0 dropped:0 overruns:0 frame:0
TX packets:98881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:9737053 (9.7 MB) TX bytes:9737053 (9.7 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:84 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:9634 (9.6 KB) TX bytes:13102 (13.1 KB)
Server iptables -n -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 10.8.0.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Server netstat -nr:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 [REDACTED] 0.0.0.0 UG 0 0 0 em1
[REDACTED] 0.0.0.0 [REDACTED] U 0 0 0 em1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Client ifconfig -a:
eno1 Link encap:Ethernet HWaddr [REDACTED]
inet addr:[REDACTED] Bcast:[REDACTED] Mask:[REDACTED]
inet6 addr: [REDACTED] Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:241633 errors:0 dropped:0 overruns:0 frame:0
TX packets:78722 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:224498248 (224.4 MB) TX bytes:10952745 (10.9 MB)
Interrupt:20 Memory:fe400000-fe420000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:779 errors:0 dropped:0 overruns:0 frame:0
TX packets:779 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:73331 (73.3 KB) TX bytes:73331 (73.3 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:64 errors:0 dropped:0 overruns:0 frame:0
TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:12922 (12.9 KB) TX bytes:9634 (9.6 KB)
Client iptables -n -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Client netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 [REDACTED] 0.0.0.0 UG 0 0 0 eno1
[REDACTED] 0.0.0.0 [REDACTED] U 0 0 0 eno1
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Best Answer
The solution was:
Somehow there were the following firewall rule directing the server to the real LAN instead of the VPN for reaching VPN clinents which had to be deleted:
Server iptables -t nat -L -n -v --line-numbers:
On the server: iptables -t nat -D POSTROUTING 1
Et voilĂ ! Everything works...
To make it permanent delete/comment the corresponding line in /etc/rc.local .
Thank you all for your help!