Tunnel Routing in OpenVPN

juffinhalli2013-09-29 16:21:15

openvpn

juffinhalli, 2013-09-29 16:21:15

Good afternoon!

I am studying OpenVPN, I plan to use it in production.

Given:
2 computers running pure console Ubuntu 12.04 LTS
Both are on the same network 192.168.11.xx and configured via DHCP. The gateway is 192.168.11.1. Both have internet access through a gateway.

Task:
The second computer must access the Internet using the first one.

Actions:
Used this manual

First computer (openvpn server):

ovpn_server.conf

daemon
port 777
proto tcp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
client-to-client
persist-tun
persist-key
comp-lzo
log-append /var/log/openvpn.log
script-security 2 system
up «echo 1 > /proc/sys/net/ipv4/conf/all/forwarding && iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE #»
down «iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j MASQUERADE #»
ca ca.crt # Cертификат СА (центра сертификации)
cert server.crt # Cертификат сервера, подписанный СА
key server.key # Ключ шифрования сервера
dh dh1024.pem # Файл с Diffie-Hellman-параметрами
push «dhcp-option DNS 8.8.8.8»
push «dhcp-option DNS 8.8.4.4»
push «comp-lzo»
push «redirect-gateway»

ifconfig -a

eth0 Link encap:Ethernet HWaddr 08:00:27:8a:20:eb
inet addr:192.168.11.134 Bcast:192.168.11.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe8a:20eb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18046 errors:0 dropped:0 overruns:0 frame:0
TX packets:10783 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10047273 (10.0 MB) TX bytes:1916605 (1.9 MB)

lo Link encap: Локальная петля (Loopback)
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

route -n before starting the VPN server

Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.11.1 0.0.0.0 UG 100 0 0 eth0
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

route -n after starting the VPN server

Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.11.1 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Second computer (openvpn client):

ovpn_client.conf

client
remote 192.168.11.134 777
dev tun
proto tcp
persist-key
persist-tun
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
script-security 2 system
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
log /var/log/openvpn.log
verb 4

ifconfig -a

eth0 Link encap:Ethernet HWaddr 08:00:27:25:36:1e
inet addr:192.168.11.126 Bcast:192.168.11.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe25:361e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5500 errors:0 dropped:0 overruns:0 frame:0
TX packets:4789 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:564063 (564.0 KB) TX bytes:619753 (619.7 KB)

lo Link encap: Локальная петля (Loopback)
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

route -n after starting the VPN server

Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.11.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

route -n after starting VPN server with redirect-gateway

Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.5 0.0.0.0 UG 0 0 0 tun0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.11.134 192.168.11.1 255.255.255.255 UGH 0 0 0 eth0

route -n before starting the VPN server

0.0.0.0 192.168.11.1 0.0.0.0 UG 100 0 0 eth0
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Results:
Without the redirect gateway option, the VPN server (10.8.0.1) and the VPN client (10.8.0.6) ping successfully, connections work, but no more. Pings do not reach 10.8.0.2 and 10.8.0.5
No connections work with the redirect gateway option. Pings also do not reach 10.8.0.2 and 10.8.0.5.

Please help me set it up, thanks in advance.

PS Both computers run in virtual machines in the same VirtualBox. In both VMs, the type of network connection is "bridge"

Update: The problem was in routing, the default scripts for reconfiguring routes do not provide for the operation of hosts in the same subnet.
The rule did not work because of this:
192.168.11.134 192.168.11.1 255.255.255.255 UGH 0 0 0 eth0
After connecting, the client completely lost connection to the server.

Answer the question

In order to leave comments, you need to log in

2 answer(s)

Nikita Melikhov, 2013-09-30
@Sl1mShady

Pings also do not reach 10.8.0.2 and 10.8.0.5

So they shouldn't
Read this documentation