Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
Nird2019-03-27 13:01:25
linux
Nird, 2019-03-27 13:01:25

How to setup LAN access via OpenVPN with tun?

Good day.
I've been fighting for a week now. This question has been discussed more than once, but for some reason none of the solutions work.
There is a local network on the interface enp2s0 192.168.127.0
OpenVPN is configured and clients connect to it. VPN network 10.8.0.0
But the client can only ping 192.168.127.89 - the internal IP of the ovpn server, pings do not go further into the network.
OpenVPN config:

cat /etc/openvpn/server.conf
;local a.b.c.d
port 11194
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;server-bridge 10.8.0.0 255.255.255.0
;push "redirect-gateway def1 bypass-dhcp"
;push "route 10.8.0.0 255.255.255.0"
push "route 192.168.127.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20
explicit-exit-notify 0

Client config:
client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote xxx.xxx.xxx.xxx 11194
;remote-random
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings

remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
verb 3
;mute 20

Client Routes with VPN Connected
Код: [Выделить]

ip ro li
default via 192.168.0.1 dev enp2s13 proto static metric 100 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 
169.254.0.0/16 dev enp2s13 scope link metric 1000 
xxx.xxx.xxx.xxx via 192.168.0.1 dev enp2s13 
192.168.0.0/24 dev enp2s13 proto kernel scope link src 192.168.0.71 metric 100 
192.168.127.0/24 via 10.8.0.1 dev tun0

Server routes with VPN connected
ip ro li
default via 212.48.195.118 dev ppp0 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.2 
192.168.127.0/24 dev enp2s0 proto kernel scope link src 192.168.127.89 
212.48.195.118 dev ppp0 proto kernel scope link src xxx.xxx.xxx.xxx

Firewall Rules
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*filter
:INPUT DROP [236:11906]
:FORWARD ACCEPT [1041:69425]
:OUTPUT ACCEPT [253288:161677613]
:f2b-sshd - [0:0]
:f2b-sshd-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 10022 -j f2b-sshd-ddos
-A INPUT -p tcp -m multiport --dports 10022 -j f2b-sshd
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10022 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i enp2s0 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -d 192.168.127.0/24 -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A f2b-sshd -j RETURN
-A f2b-sshd-ddos -j RETURN
COMMIT
# Completed on Tue Mar 26 16:48:58 2019
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*nat
:PREROUTING ACCEPT [2570:185461]
:INPUT ACCEPT [9217:504581]
:OUTPUT ACCEPT [3900:256485]
:POSTROUTING ACCEPT [3976:260537]
-A PREROUTING -s 192.168.127.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -s 192.168.127.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.127.160
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 3388 -j DNAT --to-destination 192.168.127.81:3389
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.127.160
-A PREROUTING -i ppp0 -p gre -j DNAT --to-destination 192.168.127.160
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 5650 -j DNAT --to-destination 192.168.127.160
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 15650 -j DNAT --to-destination 192.168.127.160
-A POSTROUTING -s 10.8.0.0/24 -o enp2s0 -j MASQUERADE
-A POSTROUTING -s 192.168.127.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 192.168.127.0/24 -o enp1s1 -j MASQUERADE
COMMIT
# Completed on Tue Mar 26 16:48:58 2019
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*mangle
:PREROUTING ACCEPT [1688943:1124405045]
:INPUT ACCEPT [1014945:747408567]
:FORWARD ACCEPT [673998:376996478]
:OUTPUT ACCEPT [1106484:693624812]
:POSTROUTING ACCEPT [1780482:1070621294]
-A PREROUTING -s 192.168.127.0/24 -j HMARK --hmark-src-prefix 32 --hmark-rnd 0xfeedcafe --hmark-mod 10 --hmark-offset 10000
COMMIT
# Completed on Tue Mar 26 16:48:58 2019

enp2s0 interface looks in LAN
ppp0 in internet
enp1s1 in internet second channel
xxx.xxx.xxx.xxx external IP address on interface ppp0
probably tried everything suggested on the internet. The idea is that it should work, but it doesn't.
If you uncomment ;push "redirect-gateway def1 bypass-dhcp", then it allows you to enter the Internet via VPN, but you can't get close to the local network. I understand that somewhere something with routing is not a cake, but where?
Thank you.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
R
res2001, 2019-03-27
@Nird_o

In order for computers from the internal network behind the VPN server to send responses to requests from VPN clients, the VPN server must either be the default gateway for them, or you must manually register the route to the VPN network on each computer of the internal network.
In addition to the firewall on the VPN server itself, firewalls on computers within the network and on the VPN client can block traffic. The easiest way is to turn off the firewalls everywhere, check the response, if everything works, then turn on the firewalls and write allowing rules in them.
NAT in exchange with VPN clients is usually not needed!

Similar questions
O
OKNOZA2015-06-21 23:31:05
Can I not use NodeJS templating engine? 7Reply
S
santavits2019-11-13 14:43:29
How to fix the link when sending? 7Reply
D
Dima Petrov2019-02-26 17:50:44
How to synchronize changes in a file? 3Reply
P
pixik2016-09-28 14:36:25
How to compare recursively 2 folders in Linux excluding files by pattern? 1Reply
V
vebry2019-02-27 00:42:37
How to run Linux? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question