Answer the question
In order to leave comments, you need to log in
How to setup LAN access via OpenVPN with tun?
Good day.
I've been fighting for a week now. This question has been discussed more than once, but for some reason none of the solutions work.
There is a local network on the interface enp2s0 192.168.127.0
OpenVPN is configured and clients connect to it. VPN network 10.8.0.0
But the client can only ping 192.168.127.89 - the internal IP of the ovpn server, pings do not go further into the network.
OpenVPN config:
cat /etc/openvpn/server.conf
;local a.b.c.d
port 11194
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;server-bridge 10.8.0.0 255.255.255.0
;push "redirect-gateway def1 bypass-dhcp"
;push "route 10.8.0.0 255.255.255.0"
push "route 192.168.127.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
explicit-exit-notify 0
client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote xxx.xxx.xxx.xxx 11194
;remote-random
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
verb 3
;mute 20
Код: [Выделить]
ip ro li
default via 192.168.0.1 dev enp2s13 proto static metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4
169.254.0.0/16 dev enp2s13 scope link metric 1000
xxx.xxx.xxx.xxx via 192.168.0.1 dev enp2s13
192.168.0.0/24 dev enp2s13 proto kernel scope link src 192.168.0.71 metric 100
192.168.127.0/24 via 10.8.0.1 dev tun0
ip ro li
default via 212.48.195.118 dev ppp0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.2
192.168.127.0/24 dev enp2s0 proto kernel scope link src 192.168.127.89
212.48.195.118 dev ppp0 proto kernel scope link src xxx.xxx.xxx.xxx
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*filter
:INPUT DROP [236:11906]
:FORWARD ACCEPT [1041:69425]
:OUTPUT ACCEPT [253288:161677613]
:f2b-sshd - [0:0]
:f2b-sshd-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 10022 -j f2b-sshd-ddos
-A INPUT -p tcp -m multiport --dports 10022 -j f2b-sshd
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10022 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i enp2s0 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -d 192.168.127.0/24 -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A f2b-sshd -j RETURN
-A f2b-sshd-ddos -j RETURN
COMMIT
# Completed on Tue Mar 26 16:48:58 2019
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*nat
:PREROUTING ACCEPT [2570:185461]
:INPUT ACCEPT [9217:504581]
:OUTPUT ACCEPT [3900:256485]
:POSTROUTING ACCEPT [3976:260537]
-A PREROUTING -s 192.168.127.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -s 192.168.127.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.127.160
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 3388 -j DNAT --to-destination 192.168.127.81:3389
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.127.160
-A PREROUTING -i ppp0 -p gre -j DNAT --to-destination 192.168.127.160
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 5650 -j DNAT --to-destination 192.168.127.160
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 15650 -j DNAT --to-destination 192.168.127.160
-A POSTROUTING -s 10.8.0.0/24 -o enp2s0 -j MASQUERADE
-A POSTROUTING -s 192.168.127.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 192.168.127.0/24 -o enp1s1 -j MASQUERADE
COMMIT
# Completed on Tue Mar 26 16:48:58 2019
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*mangle
:PREROUTING ACCEPT [1688943:1124405045]
:INPUT ACCEPT [1014945:747408567]
:FORWARD ACCEPT [673998:376996478]
:OUTPUT ACCEPT [1106484:693624812]
:POSTROUTING ACCEPT [1780482:1070621294]
-A PREROUTING -s 192.168.127.0/24 -j HMARK --hmark-src-prefix 32 --hmark-rnd 0xfeedcafe --hmark-mod 10 --hmark-offset 10000
COMMIT
# Completed on Tue Mar 26 16:48:58 2019
Answer the question
In order to leave comments, you need to log in
In order for computers from the internal network behind the VPN server to send responses to requests from VPN clients, the VPN server must either be the default gateway for them, or you must manually register the route to the VPN network on each computer of the internal network.
In addition to the firewall on the VPN server itself, firewalls on computers within the network and on the VPN client can block traffic. The easiest way is to turn off the firewalls everywhere, check the response, if everything works, then turn on the firewalls and write allowing rules in them.
NAT in exchange with VPN clients is usually not needed!
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question