[SOLVED] OpenVPN - client get IP from servers DHCP
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you want the clients to be seen with the VPN server's IP when browsing the net, you have to use the redirect-gateway option, and configure NAT on the VPN server for the VPN clients - in a similar way to how you have configured your existing devices in the local protected LAN. It is as if you are attaching a new LAN subnet on a new interface.
If you want the clients to be seen with the VPN server's IP when browsing the net, you have to use the redirect-gateway option, and configure NAT on the VPN server for the VPN clients - in a similar way to how you have configured your existing devices in the local protected LAN. It is as if you are attaching a new LAN subnet on a new interface.
I have zero experience on configuring NAT on the VPN server.
The NAT router (and DSL box) handles all of this. The VPN server is behind the NAT. The Router also works as th DHCP server, and distributes the IP:s to the LAN clients.
To get that to work, will I have to edit the 'interfaces' file? 'Redirect' traffic from tun0 to eth0? Everytime I've messed with the 'interfaces' file, I ended up with no internet connection on the server
The NAT router can't do anything with the VPN traffic, because it is encapsulated and encrypted in the tunnel.
You would need to add to the iptables config on the VPN router, because that is where the VPN tunnel terminates.
The below is in iptables-restore format:
This will look at traffic as it is about to leave the VPN server and if it has a source IP in the 10.8.0.0/24 subnet, will replace it with 192.168.10.53 and change the source port to something unique.
P.S.
If you are the admin of that server, you should look into iptables, and enable some iptables rules to provide a host based firewall for the VPN server.
There is still one weird problem. The Samba server has multiple shares, and on the client machine I've made all but one "available offline". When I connect to the share through OpenVPN, I can connect to the share that is not available offline. None of the shares made available offline works...
Is there some sort of connection limit somewhere that I'm missing? Either in OpenVPN or Samba. Since all the shares works when connected to within the servers LAN, I'm leaning towards a limitation somewhere else.
Making the share available offline means that the client will download a local copy of the shared drive. Over a VPN this could be causing excessive load and slow operation, depending on the size of the shares. I'm not sure, but would guess that this is either slow operation which is interpreted as lack of operation or the software is being clever and preventing slow operation by using the shares in offline mode. Check Samba logs?
The point would be to make the shares available offline when connected to the local LAN - Everything will be downloaded to the client. When using the shares when offline, the files would still be available. And when connecting through OpenVPN the bandwidth usage should be smaller, as only the changed files would have to be downloaded (as most are already available as the offline copies). But this might be an issue with the the way Windows checks for the connection speed, and not a problem in the OpenVPN/Samba settings.
The main culprit seems to be the VPN clients "Make available offline" option. When connected to the samba shares through OpenVPN, the client assumes the share that are made available offline are offline. The one share that is NOT made available offline works fine. The shares that are made available offline must be forced to update the folders (right click on the network drive -> Sync -> Sync selected offline files).
OpenVPN server.conf:
Code:
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
;dev tun
dev tun0
;dev-node MyTap
ca ca.crt
cert [censored].crt
key [censored].key # This file should be kept secret
dh dh2048.pem
;server 172.31.255.100 255.255.255.254
server 10.8.0.0 255.255.255.0
;server 192.168.10.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 192.168.10.1"
;push "dhcp-option DNS 208.67.220.220"
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
log-append openvpn.log
verb 6
;mute 20
OpenVPN client config (client.ovpn located in C:\Program Files\OpenVPN\config\):
Code:
client
dev tun0
proto udp
remote [ip.of.the.server] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert [nameofclientcertificatefile].crt
key [nameofclientkeyfile].key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 4
Samba config file (smb.conf):
Code:
[global]
workgroup = [WORKGROUP - Edit to suit needs - Leave out [ and ] symbols]
netbios name = [SERVERNAME - Leave out [ and ] symbols]
server string = [Server description - Leave out [ and ] symbols]
dns proxy = no
log file = /var/log/samba/log.%m.%I
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[homes]
comment = Home Directories
browseable = yes
hide dot files = yes
hide unreadable = yes
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[CustomShare]
comment = CustomShare
path = /srv/samba/CustomShare
browseable = no
guest ok = no
read only = no
create mask = 0770
directory mask = 0770
directory security mask = 0770
force create mode = 0770
force directory mode = 0770
force group = smb_CustomShare
hide dot files = yes
hide unreadable = yes
valid users = @smb_CustomShare
write list = @smb_CustomShare
These settings seem to work on my setup. Pinging "192.168.10.53" (in my case this is the VPN/Samba servers ip on the LAN) finds the server.
Using:
server 10.8.0.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 19.168.10.1"
It seems like a little explanation is due here.
server defines the network that the client computers will be in
push "route ..." gives you a route into the remote (office) LAN.
push "redirect-gateway" routes ALL traffic through the VPN that is not on the client's local LAN - I don't think you want that.
push "dhcp-option dns ..." tells the client computer to ONLY use the remote (office) dns server. If the office dns server does not forward unknown requests to an outside (internet) dns server, then you will ONLY have access to the remote LAN addresses. If you do not need access to remote LAN name services you should drop that line.
To summarize, judging by the previous conversation, of the 4 lines you posted, you only need the first two.
*EDIT* I also just noticed that you had typed 19.168 instead of 192.168 in the dns line above.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
