Openvpn routing, why doesn't the server see the internal addresses behind the client?

A

admin4eg2014-11-19 10:16:47

openvpn

admin4eg, 2014-11-19 10:16:47

There is an OpenVPN server far on the Internet, a client connects to it, behind which there is a network ( 192.168.100.0/255.255.255.0 ) this network receives the Internet through this OpenVPN server.
but why can't I ping network 192.168.100.0 from the server? for example, the openVPN client has an internal address of 192.168.100.192
# cat server.conf

port 1194 #Порт
proto udp #Протокол
dev tun   #Название виртуального устройства
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh1024.pem
server 10.10.10.0 255.255.255.0 # vpn subnet
ifconfig-pool-persist ipp.txt # Тут будут храниться ip адреса клиентов
#push "route 192.168.100.0 255.255.255.0" # home
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 4
mute 20
client-to-client
client-config-dir /etc/openvpn/ccd # Тут будут настройки для каждого филиала
route 192.168.100.0 255.255.255.0 # Маршрут от сервера до филиала 1

cat ccd/client1
iroute 192.168.100.0 255.255.255.0
routing a little rules but, like this
# ip ro

default via 91.230.211.129 dev eth0
10.10.10.0/24 via 10.10.10.2 dev tun0
10.10.10.2 dev tun0  proto kernel  scope link  src 10.10.10.1
91.230.211.128/25 dev eth0  proto kernel  scope link  src 91.230.211.155
192.168.100.0/24 dev tun0  scope link

Next is the client.
#ifconfig

eth0      Link encap:Ethernet  HWaddr 00:15:e9:42:12:e7
          inet addr:192.168.100.192  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::215:e9ff:fe42:12e7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9529433 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14498216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1069870112 (1.0 GB)  TX bytes:4244836235 (4.2 GB)
          Interrupt:17 Base address:0xc00

eth1      Link encap:Ethernet  HWaddr 00:15:e9:4a:aa:ae
          inet addr:195.209.96.36  Bcast:195.209.96.63  Mask:255.255.255.192
          inet6 addr: fe80::215:e9ff:fe4a:aaae/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14219418 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9328431 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4058530661 (4.0 GB)  TX bytes:1339978921 (1.3 GB)
          Interrupt:21

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:31009 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31009 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10254502 (10.2 MB)  TX bytes:10254502 (10.2 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.10.6  P-t-P:10.10.10.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3334189 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3852969 errors:0 dropped:8986 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:437725017 (437.7 MB)  TX bytes:557979603 (557.9 MB)

#cat /etc/openvpn/client.conf

remote 91.211.211.155 1194
client
dev tun
proto udp
resolv-retry infinite # this is necessary for DynDNS
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/proxy.crt
key /etc/openvpn/proxy.key
comp-lzo
verb 4
mute 20
redirect-gateway
verb 4

#ipro

10.10.10.5 dev tun0  proto kernel  scope link  src 10.10.10.6
91.211.211.155 via 195.209.96.1 dev eth1
195.209.96.0/26 dev eth1  proto kernel  scope link  src 195.209.96.36
192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.192
10.10.10.0/24 via 10.10.10.5 dev tun0
default via 10.10.10.5 dev tun0

iptables on Server

-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/16 -j MASQUERADE

On the client
-A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE
However, as I understand it, if one more network 192.168.X.0 connects behind the second client, then these networks see each other.
one organization works this way for me actually I wrote this article a long time ago habrahabr.ru/post/100932
but I don’t understand how to teach the server to see those who are behind the client :(

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vladimir, 2014-11-19
@rostel

forwarding allow

P

Power, 2014-11-19
@Power

Do you only have one client? Just if more than one, then how should the server understand which tunnel to send traffic to 192.168.100.0/24?
Now, I think the problem is that you set the route for 192.168.100.0/24 on the server directly through the tunnel, but you need to through the gateway, the role of which should be performed by the client, i.e. on the server there should be something like
Well, on the client, respectively, allow forwarding and make a masquerade.