OpenVPN client and server on the same machine for other OpenVPN clients

E

Evgeny Ilin2013-08-25 14:14:52

linux

Evgeny Ilin, 2013-08-25 14:14:52

Task description :
OpenVPN server and OpenVPN client are up on the same machine.
The client with the address 10.6.6.12 looks into the corporate network and its subnets (the routing table is attached).
It is necessary that any other client (already the server itself) sees the same subnets.

Data :

eth0 Link encap:Ethernet HWaddr 00:1c:14:01:2f:84
inet addr: 111.111.111.100 Bcast:111.111.111.101 Mask:255.255.255.240
inet6 addr: fe80::21c:14ff:fe01:2f84/64 Scope: Link

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1

tap0 Link encap:Ethernet HWaddr 76:e9:2e: da:18:3c
inet addr: 10.6.6.12 Bcast:10.6.6.255 Mask:255.255.255.0
inet6 addr: fe80::74e9:2eff:feda:183c/64 Scope:Link

tun0 Link encap:UNSPEC HWaddr 00-00-00 -00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: 10.8.0.1PtP:10.8.0.2Mask:255.255.255.255

10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
111.111.111.96/28 via 111.111.111.97 dev eth0
111.111.111.96/28 dev eth0 proto kernel scope link src 111.111.111.100
10.155.10
192.168.22.0/24 via 10.6.6.1 dev tap0
192.168.21.0/24 via 10.6.6.1 dev tap0
10.6.6.0/24 dev tap0 proto kernel scope link src 10.6.6.12
10.8.0.0/24 via 10.8.0.2 dev
tun68. 33.0/24 via 10.6.6.1 dev tap0
default via 78.46.203.97 dev eth0

Server config (left only the necessary)

dev tun
server 10.8.0.0 255.255.255.0
push "route 10.6.6.0 255.255.255.0"
client-to-client

Problem:
When connecting a client on IOS (Ipad), subnets of the tap0 interface (21.0/24, 10.0/24) are not visible.
The interface itself is visible 10.6.6.12.

As far as I understand, I have to tell the client something like

ip route add 192.168.21.0/24 via 10.6.6.1 dev tap0

but I don’t understand how to do this using the config, and it’s impossible to do it on the pad itself.
Tried to do it like this:

push "route 192.168.21.0 255.255.255.0"
push "route-gateway 10.6.6.1"

did not lead to a result.

What options can be used?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

E

Evgeny Ilin, 2013-08-26
@geirby

Solution:
vim /etc/rc.local

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o tap0 -j MASQUERADE

/etc/rc.local restart

A

Anastasia_K, 2013-08-25
@Anastasia_K

push "route 192.168.21.0 255.255.255.0 10.6.6.12"

D

Denis Zaitsev, 2013-08-26
@ZayDen

Your problem is most likely not in your server and not even on the IOS client. The problem is that the corporate network and its subnets do not know anything about the 10.8.0.0/24 network. Routing must be registered on the gateways of those networks (21.0/24, 10.0/24).
Check with tcpdump on all devices in which direction the packets go. I can assume that on the VPN server (10.6.6.1) you need to add: route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.6.6.12 or even further:
IOS(10.8.0.2) --> VPN-server(10.8.0.1 ) --> VPN client (10.6.6.12) --> VPN server(10.6.6.1) --> GATEWAY(192.168.21.1) --> PC(192.168.21.134) --> GATEWAY(192.168.21.1) --> Internet
Try google: www.google.ru/#fp=64f00f11532cad7b&newwindow=1&q=iproute2+quagga+zebra+bgpd