Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Evgeny Elizarov2012-06-21 11:25:29
openvpn
Evgeny Elizarov, 2012-06-21 11:25:29

OpenVPN and routing between networks

There are 2 servers connected to each other via OpenVPN. The task is to make available the resources of the internal networks of these servers between themselves.
Server #1 (which is also an OpenVPN server):
eth0 - 192.168.0.1
eth1 - external interface
tap0 - 10.8.0.1

OpenVPN config (excess cut out):
#Port
port 1194 #proto udp
protocol #Interface type dev tap0 #Server operation mode mode server #The server is assigned the first address from the first subnet ifconfig 10.8.0.1 255.255.255.0 #Clients ifconfig -pool 10.8.0.10 10.8.0.100 #The route to the entire OpenVPN network is announced to the system
route 10.8.0.0 255.255.255.0 #Pass
the route to the entire OpenVPN network
push "route 192.168.0.0 255.255.255.0"
#Gateway for the above routes
push "route-gateway 10.8.0.1"

Server #2
eth0 - external interface
eth1 - 192.168 .1.1
tap0 — 10.8.0.11

OpenVPN config (excess cut out): #Client
mode of operation
#Interface
type
dev tap #Proto udp
protocol #Server address and port remote ip 1194 #Accept push commands from the server. That is, allow reconfiguring the pull client

Now everything is connected and working and each other's servers are pinging (by 192.168.*.1), but the network further is somehow not hello. From server 2 I ping machine
192.168.1.1# ping 192.168.0.254
PING 192.168.0.254 (192.168.0.254) 56(84) bytes of data.
^C
- 192.168.0.254 ping statistics - 5 packets transmitted, 0 received, 100% packet loss, time 4548ms
on server 1 I run tcpdump:
192.168.0.1# tcpdump -i tap0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:19:42.862971 IP 10.8.0.11 > 192.168.0.254: ICMP echo request, id 20265, seq 1, length 64
12:19: 43.862806 IP 10.8.0.11 > 192.168.0.254: ICMP echo request, id 20265, seq 2, length 64 length 64
12:19:45.862667 IP 10.8.0.11 > 192.168.0.254: ICMP echo request, id 20265, seq 4, length 64
12:19:46.862640 IP 10.8.0.11 > 192.168.0.254: ICMP echo request65, id 202 5, length 64

iptables has only one rule:
iptables -A FORWARD -p ALL -s 192.168.1.0/24 -d 192.168.0.0/24 -j

ACCEPT
Question number 2: why didn’t I screw up what is tcpdump generally silent when pinging from the 1st server of machines behind the second server?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

7 answer(s)
Report
C
cjey, 2012-06-21
@cjey

maybe I was inattentive, but it seems to me:
1) the iptables -A FORWARD -p ALL -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT rule is missing
2) you need to add routes on the servers
, for example, on the 2nd the server needs to add the route route add -host 192.168.0.254 gw 10.8.0.1 (I didn’t check the syntax, but the general idea is this.). Well, or just a route for the entire subnet 192.168.0.0/24
3) After the ping from servers to the far subnet will work, you may need to add routes on client machines.

Report
M
Manitou, 2012-06-21
@Manitou

You need to read the documentation on the openvpn site or man openvpn for the --iroute option, you can also read about --client-config-dir. That is, you need an indication of both route and iroute, in short, here:
The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.

Report
D
diger_74, 2012-06-21
@diger_74

At a cursory glance, there is not enough client-to-client in the server config so that the subnets behind them are visible.
In general, your scenario is described in sufficient detail here .

Report
S
smartlight, 2012-06-21
@smartlight

look here habrahabr.ru/qa/20127/#answer_81988

Report
G
g00dtlt, 2012-06-22
@g00dtlt

If you don't want to bother with Linux, install routeros

Report
E
Evgeny Elizarov, 2012-06-21
@KorP

1. What exactly is missing?
2. All routes are
192.168.0.1# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 217.70.27.145 0.0.0.0 UG 3 0 0 eth1
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 TAP0
127.0.0.0 127.0.0.1 255.0.0.0 Ug 0 0 0 Lo
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
ETH0 192.168.1.1 10.8.0.1 255.255.255.255 UGH 0 0 0 TAP0
217.70.27.144 0.0.0.0 255.255.255.240 U 3 0 0 eth1
192.168.1.1# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
U 0 0 0 eth1
10.43.148.0 0.0.0.0 255.255.255.0 U 0 0 0
ETH0 192.168.0.0 10.8.0.1 255.255.255.0 UG 0 0
0.0.0.0 255.255.0.0 U 1002 0
0.0.0.0.0.0.0.0.0 0.0.0.0 255.255. 0.0 U 1003 0 0 eth1 0.0.0.0 10.43.148.1
0.0.0.0 UG 0 0 0 eth0

Report
A
AlekseyPolyakov, 2012-06-21
@AlekseyPolyakov

You need to enable the ccd function on the server that is acting as an OpenVPN server. Create a configuration file (key name without extension) for the client key of the second server. In the file, push "route zzzz" to the subnet the client should communicate with.
route in the server configuration file means that the client will know where to send the packet, and by ccd in the client configuration file, the server will know where to send the response.

Similar questions
A
Anar Latifov2020-10-22 17:03:27
VPS as a proxy server? 2Reply
D
DreamCat2020-10-26 15:04:32
Traffic routing or how to set up a VPN chain? 2Reply
K
Konkase2014-07-31 11:16:00
How to build a route in an IPv4 network through openvpn on IPv6? 3Reply
S
Sergey Bulatov2022-03-10 16:53:22
Where can I find cheap VDS for OpenVPN? 3Reply
E
Evgeny Vorobyov2020-10-30 12:33:39
OpenVPN daisy chain connection? Is it possible to? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question