I'm building an OpenVPN network. The idea is that servers which are connected to the VPN get an fixed IP and the clients (which use services of the servers) get dhcp ip's.
- The servers should get an IP in
10.10.0.1 - 10.10.0.254 - The clients should get an IP in
10.10.1.1 - 10.10.255.254
My current setup looks like this:
- OpenVPN server 10.10.0.1
- Application server 10.10.0.20 <- static via ccd
- Client 10.10.1.2 <- DHCP
I achieved that my clients get an DHCP address in the correct range. They are also able to ping the OpenVPN server and visa versa.
I was also able to configure client specific config's for the servers so they get their static IP but for some reason they cannot ping the OpenVPN server and i can also not ping the client from the OpenVPN server.
Can someone help me to find what i configured wrong?
OpenVPN configuration files
OpenVPN server config:
port 3194
proto udp
dev tun
mode server
ca server_cert/ca.crt
cert server_cert/ovpn-server.crt
key server_cert/ovpn-server.key # This file should be kept secret
dh server_cert/dh.pem
tls-server
cipher AES-256-CBC
ifconfig 10.10.0.1 255.255.0.0
ifconfig-pool 10.10.1.1 10.10.255.254
route 10.10.0.0 255.255.0.0
push "route-gateway 10.10.0.1 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
duplicate-cn
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 6
explicit-exit-notify 1
My client specific config for the application servers:
ifconfig-push 10.10.0.20 10.10.0.1
My client.conf (used on the application servers)
client
dev tun
proto udp
port 3194
remote vpn.domain.com 3194
nobind
cipher AES-256-CBC
ca keys/ca.crt
cert /etc/openvpn/keys/ngin-web01.crt
key /etc/openvpn/keys/ngin-web01.key
log-append /var/log/openvpn.log
verb 6
Routes
OpenVPN Server (10.10.0.1):
root@ovpn-srv01:/home/axxmin# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.128.20.1 0.0.0.0 UG 0 0 0 ens18
10.10.0.0 255.255.0.0 255.255.0.0 UG 0 0 0 tun0
10.128.20.0 0.0.0.0 255.255.255.0 U 0 0 0 ens18
255.255.0.0 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
root@ovpn-srv01:/home/axxmin# routel
target gateway source proto scope dev tbl
10.10.0.0/ 16 255.255.0.0 tun0
255.255.0.0 10.10.0.1 kernel link tun0
10.10.0.1 local 10.10.0.1 kernel host tun0 local
default 10.128.20.1 static ens18
10.128.20.0/ 24 10.128.20.6 kernel link ens18
10.128.20.0 broadcast 10.128.20.6 kernel link ens18 local
10.128.20.6 local 10.128.20.6 kernel host ens18 local
10.128.20.255 broadcast 10.128.20.6 kernel link ens18 local
127.0.0.0 broadcast 127.0.0.1 kernel link lo local
127.0.0.0/ 8 local 127.0.0.1 kernel host lo local
127.0.0.1 local 127.0.0.1 kernel host lo local
127.255.255.255 broadcast 127.0.0.1 kernel link lo local
::1 kernel lo
fe80::/ 64 kernel ens18
fe80::/ 64 kernel tun0
::1 local kernel lo local
fe80::1083:7fff:fedd:70c0 local kernel ens18 local
fe80::b24c:97a4:281:de41 local kernel tun0 local
ff00::/ 8 ens18 local
ff00::/ 8 tun0 local
Application server (10.10.0.20)
root@ovpn-srv01:/home/axxmin# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.128.20.1 0.0.0.0 UG 0 0 0 ens18
10.10.0.0 255.255.0.0 255.255.0.0 UG 0 0 0 tun0
10.128.20.0 0.0.0.0 255.255.255.0 U 0 0 0 ens18
255.255.0.0 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
root@ovpn-srv01:/home/axxmin# routel
target gateway source proto scope dev tbl
10.10.0.0/ 16 255.255.0.0 tun0
255.255.0.0 10.10.0.1 kernel link tun0
10.10.0.1 local 10.10.0.1 kernel host tun0 local
default 10.128.20.1 static ens18
10.128.20.0/ 24 10.128.20.6 kernel link ens18
10.128.20.0 broadcast 10.128.20.6 kernel link ens18 local
10.128.20.6 local 10.128.20.6 kernel host ens18 local
10.128.20.255 broadcast 10.128.20.6 kernel link ens18 local
127.0.0.0 broadcast 127.0.0.1 kernel link lo local
127.0.0.0/ 8 local 127.0.0.1 kernel host lo local
127.0.0.1 local 127.0.0.1 kernel host lo local
127.255.255.255 broadcast 127.0.0.1 kernel link lo local
::1 kernel lo
fe80::/ 64 kernel ens18
fe80::/ 64 kernel tun0
::1 local kernel lo local
fe80::1083:7fff:fedd:70c0 local kernel ens18 local
fe80::b24c:97a4:281:de41 local kernel tun0 local
ff00::/ 8 ens18 local
ff00::/ 8 tun0 local
Client (10.10.1.2):
root@client-device:/home/pi# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.128.60.1 0.0.0.0 UG 202 0 0 eth0
10.10.0.0 10.10.1.1 255.255.0.0 UG 0 0 0 tun0
10.10.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.128.60.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
root@client-device:/home/pi# routel
target gateway source proto scope dev tbl
10.10.0.0/ 16 10.10.1.1 tun0
10.10.1.1 10.10.1.2 kernel link tun0
10.10.1.2 local 10.10.1.2 kernel host tun0 local
default 10.128.60.1 10.128.60.33 dhcp eth0
10.128.60.0/ 24 10.128.60.33 dhcp link eth0
10.128.60.0 broadcast 10.128.60.33 kernel link eth0 local
10.128.60.33 local 10.128.60.33 kernel host eth0 local
10.128.60.255 broadcast 10.128.60.33 kernel link eth0 local
127.0.0.0 broadcast 127.0.0.1 kernel link lo local
127.0.0.0/ 8 local 127.0.0.1 kernel host lo local
127.0.0.1 local 127.0.0.1 kernel host lo local
127.255.255.255 broadcast 127.0.0.1 kernel link lo local
::1 kernel lo
fe80::/ 64 kernel eth0
fe80::/ 64 kernel tun0
::1 local kernel lo local
fe80::20d4:6b14:ff16:e230 local kernel tun0 local
fe80::65cf:ce3:fc9f:20fa local kernel eth0 local
ff00::/ 8 eth0 local
ff00::/ 8 tun0 local
Since you didn't specify a topology in the server config file, Openvpn works in
net30mode, which is the default. In this mode, every client will be assigned an IP from a /30 subnet, the other usable IP in the subnet will be allocated for the p2p address of that tunnel. The parameters of theifconfigandroutecommands in this mode are "local-ip peer-ip", and not "local-ip netmask".In order for your config to work, you need to include the
line in your server config, so the
ifconfigandroutecommands will be mostly all right. The only exception is the static address allocation for the client, which should beAnd you don't need to push theEdit / correction: You do need to propagate the route, it happens automatically only if you use theroute 10.10.0.0 255.255.0.0command, since the netmask and the IP inifconfig-pushsets that route already.serverdirective in the config. My bad.You probably need to change the
ifconfig-pooldirective as well, for two reasons. First, the10.10.1.1address should not part of the pool, since it is the IP of the VPN server. Second, since you don't use the default /24 netmask, it is probably a good idea to specify that as well: