What routing rules are required for networks to communicate through OpenVPN?

G

GeorgNegoro2018-08-02 00:54:57

linux

GeorgNegoro, 2018-08-02 00:54:57

1. There are remote clients - networks (office and branches), subnets (192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24),
2. There is a VPS with UBUNTU, OpenVPN server on it. On the Internet, since there is no stable Internet at the branches, in the office too.
3. All OpenVPN clients are assigned a static IP.
Task: Connect everything into one VPN network, according to the "one office -> all branches" connection scheme, i.e. you can connect from the office to each branch, but not from the branch to the branch.
What has been done: OpenVPN server is up (UBUNTA), clients (branches, mikrotik) are connected. But absolutely no one sees anyone (ping), only all clients from the server itself.
How to implement this?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

N

neol, 2018-08-02
@neol

In the openvpn config, add routes to remote networks on the server:

route 192.168.10.0 255.255.255.0 client_ip1
route 192.168.20.0 255.255.255.0 client_ip2
route 192.168.30.0 255.255.255.0 client_ip3

In ccd add routes to remote networks for clients. For example for 192.168.10.0/24:

push "route 192.168.20.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.0"

For the other two it is the same.
Enable traffic routing on the server:
sysctl net.ipv4.ip_forward=1
And in the FORWARD iptables chain, resolve which packets should go where:

iptables -A FORWARD -o tun0 -s 192.168.10.0/24 -j ACCEPT # Из сети 192.168.10.0/24 можно подключаться куда угодно
iptables -A FORWARD -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # разрешить пакеты по уже установленным соединениям
iptables -A FORWARD -j REJECT # Остальное запрещаем

If I haven't forgotten anything, it should take off.