Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Evgeny Vorobyov2020-10-20 16:47:39
openvpn
Evgeny Vorobyov, 2020-10-20 16:47:39

Can you help me set up OpenVPN strictly for LAN connectivity?

There are two grids: 192.168.1.0, 192.168.2.0 and 192.168.5.0
In the second grid, a virtual machine with openvpn-server on debian is running.
Clients connect to ovpn, but all traffic goes through the tunnel ... along with the Internet. It is necessary to let through the tunnel only traffic of the local network behind the tunnel (RDP, Radmin, connection to the 1C server), and all sorts of VKontakte and YouTubers went through the "local" Internet of the client.

server.conf

local 192.168.2.104
port 1194
proto udp
dev tun
;sndbuf 393216
;rcvbuf 393216
;push "sndbuf 393216"
;push "rcvbuf 393216"
ca easy-rsa/pki/ca.crt
cert easy-rsa/pki/issued/.crt
key easy-rsa/pki/private/.key
dh easy-rsa/pki/dh.pem
crl-verify easy-rsa/pki/crl.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
;push "redirect-gateway local def1"
push "redirect-gateway def1 bypass-dhcp"
push "route-gateway dhcp"
push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 10.8.0.1"
;client-to-client
keepalive 10 120
tls-server
tls-timeout 120
auth SHA512
tls-auth easy-rsa/pki/tls.key 0
cipher AES-256-CBC
comp-lzo adaptive
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
mute 10
script-security 2
up up.sh
down down.sh
askpass server.pass

recoverable iptables when tunnel is up

GNU nano 3.2 /etc/openvpn/iptables

# Generated by xtables-save v1.8.2 on Thu Oct 8 10:31:09 2020
* filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o ens32 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens32 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 8 10:31:09 2020
# Generated by xtables-save v1.8.2 on Thu Oct 8 10:31:09 2020
* nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o ens32 -j MASQUERADE
COMMIT
# Completed on Thu Oct 8 10:31:09 2020


Fellow experts please help)

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
E
Evgeny Vorobyov, 2020-10-20
@astrave

Found the answer myself. It was necessary to remove these 2 lines in the server configuration. One sets the ovpn server as the default gateway, and the second sends DNS to it.
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"

Similar questions
X
xorvester2015-12-22 23:11:49
How to prevent information leakage when the connection is lost via OPENVPN? 3Reply
S
Supremebeing2015-12-27 21:07:10
JabPunch->OpenVPN - Can't see opponent online? 1Reply
M
Mark Sakharov2021-08-22 03:16:40
How to write Iptables rules to direct OpenVPN server traffic to SSH tunnel? 0Reply
A
Anton2020-06-05 03:49:51
Sending post requests via vpn - will my scheme work? 3Reply
H
hrystenko2016-01-08 21:48:12
How to fix Connection reset by peer (WSECONNREST) ​​(code=10054) error in OpenVPN? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question