Answer the question
In order to leave comments, you need to log in
A
A
alexfmos2020-12-19 13:59:42
alexfmos, 2020-12-19 13:59:42
How to configure network routing with openvpn?
Friends, for the first time I am setting up a server, I ask for help from specialists. The main thing is that the server is up and running , I figured it out, but with the routing of the problem, I don’t understand much about it at all, a dark forest. I set up the server for three days, collecting information from dozens of sites, but that's it, my strength has run out.
Network diagram
spoiler
I ping or RDP from HomePC1 to WorkPC1 at 10.8.8.2, meaning the server is fine.
What I want is to connect from HomePC 2-3 computers Also WorkPC1 . Unfortunately, I still can't figure out how to do it.
Ideally, if possible, then also connect to any WorkPC 2-3 . I also don’t understand how to do this yet.
All windows 10 machines. Open VPN latest 2.5.0. In the configs, I removed all lines with route or iroute addresses, because I have no idea what to write there, and tried to pick up from different tutorials, but it didn’t work out, so I decided not to display it here. Also, if something is superfluous in the config, tell me, I have no idea about half of the lines, again about those that start with route
Server config
spoiler
proto tcp
port 1194
dev tun
tls-server
topology subnet
route-delay 5
server 10.8.81.0 255.255.255.0
route-gateway 10.8.81.1
client-config-dir "C:\\OpenVPN\\ccd"
ca "C:\\OpenVPN\\keys\\ca.crt"
cert "C:\\OpenVPN\\keys\\server.crt"
key "C:\\OpenVPN\\keys\\server.key"
dh "C:\\OpenVPN\\keys\\dh.pem"
tls-auth "C:\\OpenVPN\\keys\\ta.key" 0
cipher AES-256-GCM
comp-lzo
persist-key
persist-tun
verb 3
mute 20
keepalive 10 120
client-to-client
route-method exe
route-delay 5
duplicate-cn
status C:\\OpenVPN\\log\\openvpn-status.log
log C:\\OpenVPN\\log\\openvpn.log
port 1194
dev tun
tls-server
topology subnet
route-delay 5
server 10.8.81.0 255.255.255.0
route-gateway 10.8.81.1
client-config-dir "C:\\OpenVPN\\ccd"
ca "C:\\OpenVPN\\keys\\ca.crt"
cert "C:\\OpenVPN\\keys\\server.crt"
key "C:\\OpenVPN\\keys\\server.key"
dh "C:\\OpenVPN\\keys\\dh.pem"
tls-auth "C:\\OpenVPN\\keys\\ta.key" 0
cipher AES-256-GCM
comp-lzo
persist-key
persist-tun
verb 3
mute 20
keepalive 10 120
client-to-client
route-method exe
route-delay 5
duplicate-cn
status C:\\OpenVPN\\log\\openvpn-status.log
log C:\\OpenVPN\\log\\openvpn.log
Client config
spoiler
client
proto tcp
port 1194
dev tun
remote HomeRouter.ru 1194
tls-client
remote-cert-tls server
pull
cipher AES-256-GCM
comp-lzo
persist-key
persist-tun
keepalive 10 120
verb 3
resolv-retry infinite
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
key-direction 1
proto tcp
port 1194
dev tun
remote HomeRouter.ru 1194
tls-client
remote-cert-tls server
pull
cipher AES-256-GCM
comp-lzo
persist-key
persist-tun
keepalive 10 120
verb 3
resolv-retry infinite
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
key-direction 1
At the moment, neither the 10.8.8.X nor the 192.168.0.X network is pinged from the HomePC 2-3 computers, and only the 10.8.8.X network from the HomePC1 computer, but not 192.168.0.X
1 answer(s)
@res2001
The route does not have to be added by hand, you can use AD policies or options when distributing an address in DHCP.
5. On computers on the network behind the client, the same thing happens as on the network behind the server, only there the route will be slightly different:
R
res2001, 2020-12-19 @res2001
1. Do you have Windows on the openvpn server and on the client? What versions and there and there? If Home or Pro, then you need to enable routing: set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter (REG_DWORD) registry value to 1 and reboot. Routing is normally already included on server Windows.
2. On the openvpn server, add the directive to the client config (located in the C:\\OpenVPN\\ccd directory):
iroute 192.168.1.0 255.255.255.0
This will add a route to the client's network on the openvpn server when the client connects (when disconnected, it will be deleted).
3. in the main openvpn server config add add directive:
This will add on the client a route to the network behind the server when connected.
push "route 192.168.0.0 255.255.255.0"
4. On the other computers behind the server there is an Internet router as the default gateway, so they send all packets destined for the client network to the router, and not to the opewnvpn server. You need to add a route to the client network to the routing table on each computer in the network (except for the openvpn server) with the command:
route -p add 192.168.1.0 mask 255.255.255.0 192.168.0.2The route does not have to be added by hand, you can use AD policies or options when distributing an address in DHCP.
5. On computers on the network behind the client, the same thing happens as on the network behind the server, only there the route will be slightly different:
route -p add 192.168.0.0 mask 255.255.255.0 192.168.1.2
Similar questions
E
N
D
K
O
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question