Hi all,

Hopefully someone can help with the issue I'm having.

I have a Fedora server at home, which is connected to the internet and two OpenVPNs, one to my own Dedicated Server (centos, 10.10.0.1), and one to my office, no doubt centos too.

Home Server
eth0: internet
eth1: 192.168.0.1
tun0: 10.57.69.62 (work vpn)
tun1: 10.10.0.6 (my vpn)

Dedicated Server
eth0: internet
tun0: 10.10.0.1 (my vpn)

From any machines at home (on 192.168.0.0), I can access machines behind the work VPN since 192.168.0.1 is the default gateway, and the traffic goes right through with no issues.

However, I want to be able to access machines behind my work VPN by connecting to my own VPN (for when I'm away from home).

One 'work' network for example is on 10.64.0.0.

For example, on my Fedora laptop (10.10.0.30), I can't setup a route for 10.64.0.0 to use gw 10.10.0.6...

$ route add -net 10.64.0.0 netmask 255.255.255.0 gw 10.10.0.6
SIOCADDRT: Network is unreachable

so instead I've tried routing traffic to my Dedicated Server via 10.10.0.29 (to P-t-P for my laptops VPN), which atleast works with the route command.

I can see the packets getting to my Dedicated Server (with tcpdump), but then once they reach there, I still can't route them back down my own VPN to the 10.10.0.6 client. The same issue as above crops up when trying to use a VPN client as the gateway.

Both servers (the Dedicated and my home one have ip_forward set.

This is really bugging me now, do I need some iptables rules set on the Dedicated Server since the route command won't accept a VPN client as the gateway?

Thanks,

Rob

You need to adjust firewall rules on the work side to allow packets from the foreign VPN networks.

Also, just try playing with your route command more. It's terrible in Linux. In windows it works no problem. I've lost hours trying to get the route command to work (and never did - same error as yours).

What you could do is enable masquerade (Natting) on the openvpn interface (tun1 -----NAT----> tun0). That would *work* (i.e. let you access basic web,email and CIFS stuff) but woudn't be proper routing as packets will apperar to come from your home server's IP. So there's no going back (which may be fine..).

ANOTHER idea, it to change your "my vpn" to an openVPN bridge (dev tap0). That would fix all your problems as it would apperar as if you were sitting at home (with a home 192.168.0.x) IP. That would work perfect (which is actually what I did to fix the issues)

Thanks, I thought it'd be down to some NAT'ing required, but didn't seem to manage it.

Couldn't I just setup the same NAT'ing for any return traffic?

Also, by "return traffic" are we talking about replies from the end point, or new requests coming from my work network trying to reach my laptop - if so, i'm not bothered about that.

For the bridging stuff (new to me), which machine would need to be changed? just my dedicated server ovpn interface? or all the clients?

Thanks again,

Rob

It would be new requests. Replies from the end point would be fine (Just think how a normal NAT router in a house works)

Both the clients and the server on "MY VPN" would need their config files changed. It's fairly simple - just change from dev tun to dev tap. Change from "server" to "server-bridge". You will also need to set up bridging interfaces on teh server (If it is a linux server is really simple). Go to: http://openvpn.net/index.php/documen...-bridging.html for an excellent howto. I would strongly suggest you go down the bridging route rather than the routed/NAT. Provided you don't have any security implications regarding having remote clients directly on your LAN (The word "bridging" esentially means than any broadcast traffic is "copied" to the remote clients), this would be SO much simplier than firguring out the routed mode.

HTH

Cheers,

Jonny

Excellent, thanks very much for this, all greatly appreciated!

I'll give it a whirl over the weekend.

Rob

On second thoughts, I don't see how this would work by setting up the bridge on my dedicated server since it doesn't have a LAN IP...

eth0 <public IP>
eth0:0 <public IP>
lo 127.0.0.1
tun0: 10.10.0.1 (current tap vpn)

I obviously can't bridge the VPN to my public IP.

then make the openvpn server on your "Home Server". It doesn't really matter which way round it is