Home / server / Questions / 982682
In Process
Doubidou
Asked: 2019-09-11 04:24:04 +0800 CST

OpenVPN - Access to other client private network

  • 772

I know that this title seems to be "over answered", but really I had no luck while searching...

EDIT: I've updated the diagram and the question, to be more precise

To better explain my situation, here is a little diagram:

enter image description here

I'm trying to have "PC Home" acting like "PC Work": - browsing all sites that should be unavailable from other network than 10.42.0.x - SSH other local client on 10.42.x.x network - Use DNS provided by work network (for custom TLD)

In other word, I want that PC Home "become" PC Work.

I know it's possible with 2 clients connected to one OpenVPN intermediary (Client OpenVPN on PC Home -> OpenVPN Server -> Client OpenVPN on PC Work -> Use network from PC Work).

But I have a really low knowledge of network infrastructures...

Could somebody explain to me how to to this ? (TAP instead of TUN ? Maybe client-to-client connection ? Iptables rules to forward ?)

Oh, I forgot ; I'm working on Linux, PC Home is on Ubuntu 18.04 (but should work with any OS), OpenVPN Server on Ubuntu 18.04 too, and PC Work is on Raspbian :)

Thanks ! Some actual configuration files:

Server configuration file :

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

In IPP file I specify VPN IP for Client Home and Client Work (10.8.0.10 and 10.8.0.20). IP Forwarding is enabled on server. On server /etc/ufw/before.rules, I added these lines :

*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

Tell me if I miss some other useful things :)

Thanks !

openvpn

1 Answers

  1. Normally for network to network connections OPENVPN creates its own network that connects the nodes (10.8.0.0/MASK).

    You will have two OPENVPN machines, one at each end, one server and one client.

    These machines will also be connected to the networks at each end, 192.168.0.0/MASK and 10.42.0.0/MASK seem to be your case.

    From the two OPENVPN machines you can reach the other end, that is, from 10.8.0.10 you can ping the 10.8.0.20

    If so, I think you have to do 3 things to route traffic to remote networks.

    1- Activate IPFORWARD on both servers

     echo 1>/proc/sys/net/ipv4/ip_forward

    2- Add routes on your routers, something like this

    RouterA: 

    ip route add 10.42.0.0/MASK via 192.168.0. [OPENVPN ip]

    RouterB: 

    ip route add 192.168.0.0/MASK via 10.42.0.0. [OPENVPN ip]

    3- You should already have them, but at each end you should also have on the OPENVPN servers a route to get to another side, something like

    OpenVPN1: 

    ip route add 10.42.0.0/MASK via 10.8.0.10

    OpenVPN2: 

    ip route add 192.168.0.0/MASK via 10.8.0.20

    This way you tell your OPENVPN servers to route networks and how to get to them.

    I hope I've helped.

    • 0