LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-14-2009, 06:58 PM   #1
Robsco
LQ Newbie
 
Registered: Apr 2009
Posts: 4

Rep: Reputation: 0
OpenVPN routing (via one VPN to another)


Hi all,

Hopefully someone can help with the issue I'm having.

I have a Fedora server at home, which is connected to the internet and two OpenVPNs, one to my own Dedicated Server (centos, 10.10.0.1), and one to my office, no doubt centos too.

Home Server
eth0: internet
eth1: 192.168.0.1
tun0: 10.57.69.62 (work vpn)
tun1: 10.10.0.6 (my vpn)

Dedicated Server
eth0: internet
tun0: 10.10.0.1 (my vpn)

From any machines at home (on 192.168.0.0), I can access machines behind the work VPN since 192.168.0.1 is the default gateway, and the traffic goes right through with no issues.

However, I want to be able to access machines behind my work VPN by connecting to my own VPN (for when I'm away from home).

One 'work' network for example is on 10.64.0.0.

For example, on my Fedora laptop (10.10.0.30), I can't setup a route for 10.64.0.0 to use gw 10.10.0.6...

$ route add -net 10.64.0.0 netmask 255.255.255.0 gw 10.10.0.6
SIOCADDRT: Network is unreachable

so instead I've tried routing traffic to my Dedicated Server via 10.10.0.29 (to P-t-P for my laptops VPN), which atleast works with the route command.

I can see the packets getting to my Dedicated Server (with tcpdump), but then once they reach there, I still can't route them back down my own VPN to the 10.10.0.6 client. The same issue as above crops up when trying to use a VPN client as the gateway.

Both servers (the Dedicated and my home one have ip_forward set.

This is really bugging me now, do I need some iptables rules set on the Dedicated Server since the route command won't accept a VPN client as the gateway?

Thanks,

Rob
 
Old 04-16-2009, 07:14 AM   #2
jonnytabpni
Member
 
Registered: Sep 2008
Posts: 68

Rep: Reputation: 16
You need to adjust firewall rules on the work side to allow packets from the foreign VPN networks.

Also, just try playing with your route command more. It's terrible in Linux. In windows it works no problem. I've lost hours trying to get the route command to work (and never did - same error as yours).

What you could do is enable masquerade (Natting) on the openvpn interface (tun1 -----NAT----> tun0). That would *work* (i.e. let you access basic web,email and CIFS stuff) but woudn't be proper routing as packets will apperar to come from your home server's IP. So there's no going back (which may be fine..).

ANOTHER idea, it to change your "my vpn" to an openVPN bridge (dev tap0). That would fix all your problems as it would apperar as if you were sitting at home (with a home 192.168.0.x) IP. That would work perfect (which is actually what I did to fix the issues)

Last edited by jonnytabpni; 04-16-2009 at 07:25 AM.
 
Old 04-16-2009, 07:28 AM   #3
Robsco
LQ Newbie
 
Registered: Apr 2009
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks, I thought it'd be down to some NAT'ing required, but didn't seem to manage it.

Couldn't I just setup the same NAT'ing for any return traffic?

Also, by "return traffic" are we talking about replies from the end point, or new requests coming from my work network trying to reach my laptop - if so, i'm not bothered about that.

For the bridging stuff (new to me), which machine would need to be changed? just my dedicated server ovpn interface? or all the clients?

Thanks again,

Rob
 
Old 04-16-2009, 01:49 PM   #4
jonnytabpni
Member
 
Registered: Sep 2008
Posts: 68

Rep: Reputation: 16
Quote:
Also, by "return traffic" are we talking about replies from the end point, or new requests coming from my work network trying to reach my laptop - if so, i'm not bothered about that.
It would be new requests. Replies from the end point would be fine (Just think how a normal NAT router in a house works)

Quote:
For the bridging stuff (new to me), which machine would need to be changed? just my dedicated server ovpn interface? or all the clients?
Both the clients and the server on "MY VPN" would need their config files changed. It's fairly simple - just change from dev tun to dev tap. Change from "server" to "server-bridge". You will also need to set up bridging interfaces on teh server (If it is a linux server is really simple). Go to: http://openvpn.net/index.php/documen...-bridging.html for an excellent howto. I would strongly suggest you go down the bridging route rather than the routed/NAT. Provided you don't have any security implications regarding having remote clients directly on your LAN (The word "bridging" esentially means than any broadcast traffic is "copied" to the remote clients), this would be SO much simplier than firguring out the routed mode.

HTH

Cheers,

Jonny

Last edited by jonnytabpni; 04-16-2009 at 01:50 PM.
 
Old 04-17-2009, 05:03 AM   #5
Robsco
LQ Newbie
 
Registered: Apr 2009
Posts: 4

Original Poster
Rep: Reputation: 0
Excellent, thanks very much for this, all greatly appreciated!

I'll give it a whirl over the weekend.

Rob
 
Old 04-17-2009, 09:45 AM   #6
Robsco
LQ Newbie
 
Registered: Apr 2009
Posts: 4

Original Poster
Rep: Reputation: 0
On second thoughts, I don't see how this would work by setting up the bridge on my dedicated server since it doesn't have a LAN IP...

eth0 <public IP>
eth0:0 <public IP>
lo 127.0.0.1
tun0: 10.10.0.1 (current tap vpn)

I obviously can't bridge the VPN to my public IP.
 
Old 04-18-2009, 03:16 AM   #7
jonnytabpni
Member
 
Registered: Sep 2008
Posts: 68

Rep: Reputation: 16
then make the openvpn server on your "Home Server". It doesn't really matter which way round it is
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
openvpn routing question watcher69b Linux - Server 3 01-18-2009 11:25 AM
routing using openvpn williebens Linux - Newbie 1 07-11-2008 09:28 PM
OpenVPN and Routing. Eightpock Linux - Networking 2 07-10-2008 06:48 AM
Linux routing with openvpn cn.n Linux - Networking 3 06-08-2008 02:50 PM
OpenVPN Routing problem groetschel Linux - Networking 4 04-28-2004 04:07 AM


All times are GMT -5. The time now is 02:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration