Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Vasily Shakhunov2021-02-20 13:40:59
openvpn
Vasily Shakhunov, 2021-02-20 13:40:59

Openvpn routing in Yandex cloud?

I'm trying to set up routing through a vpn gateway to three Yandex.cloud subnets. So far, only ping goes from the remote machine 10.128.0.26 When trying to curl from the remote machine 10.128.0.26:9000, the hanging command cannot resolve the host.
From vpn server 10.129.0.24 curl to 10.128.0.26:9000 works. Moreover, the curl also works from the vpn server to the remote machine 10.9.0.6
Network diagram
6030e50d0789e019222030.png
openvpn config

# Ansible managed

port 8500
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
tls-auth /etc/openvpn/keys/ta.key 0
tls-server
auth SHA256
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "dhcp-option DNS 10.129.0.2"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "route 10.128.0.0 255.255.255.0"
push "route 10.129.0.0 255.255.255.0"
push "route 10.130.0.0 255.255.255.0"
keepalive 5 30
compress lz4-v2
persist-key
persist-tun
user nobody
group nogroup


status status-openvpn_udp_8500.log
status-version 1
log-append /var/log/openvpn.log
verb 3

Routes originating on a remote machine
10.9.0.1        10.9.0.5        255.255.255.255 UGH   0      0        0 tun0
10.9.0.4        0.0.0.0         255.255.255.252 U     0      0        0 tun0
10.128.0.0      10.9.0.5        255.255.255.0   UG    0      0        0 tun0
10.129.0.0      10.9.0.5        255.255.255.0   UG    0      0        0 tun0
10.130.0.0      10.9.0.5        255.255.255.0   UG    0      0        0 tun0

What am I missing?)

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
V
Vasily Shakhunov, 2021-02-25
@inf

The problem turned out to be broken openvpn compression. And in fact it must be disabled https://community.openvpn.net/openvpn/wiki/VORACLE
It is also not superfluous to set up static routes between the vpn network and the Yandex network https://cloud.yandex.ru/docs/vpc/concepts/ static routes

Report
K
ky0, 2021-02-20
@ky0

Routing, masquerading or packet forwarding on a vpn server is a classic set. Take tcpdump and see what goes where or does not go.

Report
D
Dmitry, 2021-02-20
@Tabletko

push "dhcp-option DNS 10.129.0.2"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"

What you are missing is that the dns request can go to any of these dns servers.
Well, it’s not clear how traffic goes in the opposite direction (nat or vm has reverse routes)

Similar questions
A
Andrew2020-05-09 16:26:52
Is it possible to hide the config from the client in OpenVPN? 2Reply
A
andrewgherz2020-05-12 20:26:39
No internet on LAN when connected to openvpn? 1Reply
M
motcart2020-05-17 13:10:39
How to route traffic past the VPN? 1Reply
M
mihass2012-07-05 22:11:04
How to block access to the network to everything except OpenVPN? 5Reply
N
Nikita Melikhov2015-12-07 09:14:01
Is it possible to set up a yf Windows Openvpn client without certificates? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question