[SOLVED] OpenVPN - client get IP from servers DHCP
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been setting up my first Linux server (Ubuntu Server 12.04.4 LTS) in our company to set up a good way to share files.
I've successfully installed the server. I can SSH to it (via Putty), set up Samba Shares (different shares for different groups), and can access these shares as expected (users without permissions can't access defined shares, and can access shares they have rights to).
So far so good.
The problem is, I need for certain users to be able to access these folders from outside the LAN.
I can successfully connect through OpenVPN, but the IP the client gets is not in the same IP range as the LAN.
I have tried for the better part of a week to get OpenVPN to work as I wan't, but to no avail.
The servers IP on the LAN is 192.168.10.53, and I use that IP to connect the clients to the Samba shares.
When I get a successful connection through OpenVPN, the IP range is 10.8.0.X.
To be able to connect through VPN and be able to use the Samba Shares, I really would like for the VPN clients to "belong" to the LAN. Is it possible for the VPN clients to get their IPs from the DHCP server (in my case the Router), so the client would be treated as just another member of the LAN? In this way, external users could just switch on the OpenVPN GUI (for Windows), connect to the server, and use the shares as if they were in the office. Optimally the VPN clients could also use the network printers, but that's not critical (and should be solved once this main issue gets solved).
I've gone through dozens of manuals (Ubuntus server manual, OpenVPN:s manuals and many, many more) and followed them to the dot, but I just can't seem to get this to work. Some changes to the settings have basically destroyed the servers connection to the Internet, and other settings have made the VPN server unreachable.
My problem is that I am a Linux newbie, and many of the manuals seem to rely on a bit more knowledge about Linux than I have.
I am sure there is a solution to this (maybe even on this forum), but I honestly don't know what to search for. Bridging? Pushing something? Routing? Googling OpenVPN gives about 2,2 million results.
I would really appreciate any help! Even a recommendation on what to Google
A simple source nat rule in iptables should do the trick.
-A POSTROUTING -s 10.8.0.0/24 -d 192.168.10.0/24 -j SNAT --to-source 192.168.10.53
You can ofcourse tweak that so that only permitted trafffic is translated. This is in iptables-restore format and to be incorported in your firewall rules file.
To have external VPN clients in the same IP range as your LAN you would need to use a layer 2 VPN
I'll try your solution tomorrow when I'm back at the office.
The important thing is to have the VPN clients to understand that 192.168.10.53 points to the Samba server (that is also the VPN server). The local members of the LAN don't have to see the (remote) VPN clients. Optimally the VPN clients should be able to connect to other devices in the servers subnet.
I don't know if the attached image (pro paint skills ) gives a better idea of what I' trying to achieve?
It has to be mentioned that the VPN client will most of the time be connected in the local LAN (not through VPN), and only temporarily needs the VPN tunnel fur access. Therefore the client can't use it's own IP addresses for accessing the LAN resources.
If the VPN server is also the Samba server you don't need NAT, you just need to push a route out to the VPN clients.
On the Debian OpenVPN distribution it looks like this:
To push a specific route:
Code:
push "route 192.168.10.0 255.255.255.0"
To configure the clients to use a specific DNS server:
Code:
push "dhcp-option DNS 192.168.10.X"
To make your VPN server the new default gateway, and redirect all traffic:
Code:
push "redirect-gateway"
If you redirect gateway there is no need to push specific routes. If you want them to access the Internet as usual (so your company doesn't handle all their youtube traffic) then just push a route for the subnet behind the VPN server.
Linux server (with SSH, OpenVPN and Samba) (part of LAN, behind Router)
Address: 192.168.10.53
So, when the vpn client connects through the internet (with a public IP of YYY.YYY.YYY.YYY) to the VPN server and goes to the internet it show the clients public IP as XXX.XXX.XXX.XXX (so it looks like the vpn client is actually connecting to the internet from behind the router).
The clients IP will be in the range 192.168.10.2-192.168.10.254, and is given by the LANs DHCP (a Router, gateway 192.168.10.1).
The VPN clients will most often connect through mobile networks, so the VPN clients IPs will change at almost every new connection.
Here is my /etc/openvpn/server.conf file (only removed comments and censored the key names) - I've commented some of the suggestions I got from this thread - They were activated and openvpn restarted when tested:
Code:
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert [censored].crt
key [censored].key # This file should be kept secret
dh dh2048.pem
;server 172.31.255.100 255.255.255.254
server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 192.162.10.1"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
What should I edit here? Will I have to edit the /etc/network/interfaces file as well? I haven't touched that one. Here are the contents of interfaces:
Code:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
I think my biggest problem is that I'm not yet familiar Linux (but I would definitely like to learn)
I've managed to get so far that I can connect to the VPN server, and I can connect to the samba share. Problem is the samba shares through VPN is accessible through \\10.8.0.1\[ShareName], whereas the samba shares are located at \\192.168.10.53\[ShareName] on the local LAN.
The shares are mapped as network drives so for them to be usable no matter how the client is connected, I need for the samba shares to be accessible through the same IP address.
1. uncomment 'push "redirect-gateway"' from your config above
2. restart openvpn - on debian/ubuntu 'service openvpn restart'
3. start a new connection from a remote client
4. Check routing settings on remote client. On windows do 'route print' in a command prompt, on linux do 'ip route show'
Your default route should be pointing to 10.8.0.1
If the above is true you should also be able to ping 192.168.10.53 from a remote client
If the above is successful you have set up your network and your VPN OK.
I would check the client configuration for any settings that may affect routing over the tunnel. A problem at the server side is less likely, but still worth a look - check the logs on your VPN server.
Code:
;log openvpn.log
log-append openvpn.log
verb 9
Enable verbose logging as above, restart, connect and see if something interesting comes up.
Again, I think it is more likely to be an issue with the client. Is it running with admin privileges? Try running it 'as administrator' (right click on the application in start menu -> choose 'Run as administrator')
I feel so stupid not trying the "Run as admin" before. The application I'm using is OpenVPN GUI.
Using:
server 10.8.0.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 19.168.10.1"
...I can ping the samba server, and can connect one of the mapped network drives (the one that is NOT made available offline). But in this scenario I can't browse the web on the client... I can connect to the internet from the OpenVPN server.
Using only (commenting the above options):
push "redirect-gateway"
...produces same results. I can connect to the server, but not to the internet.
This lets me connect to the server and I still have access to the internet, but on the web I get the Clients IP (and not the servers routers IP). This is already a solution I can work with.
The only thing that's still bugging me, is that only 1 of 7 mapped network drives are online. Is there some limit in OpenVPN that's restricting this? This is not an issue when connecting to the shares within the LAN.
I will mark this as solved, as the main issue got resolved.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.