[SOLVED] OPENVPN multi site help needed

linuxgurusa · 11-26-2014, 09:02 AM

Please, for the love of my sanity, please help.

I have a main server, hosting the openvpn service
I have 15 client sites connecting.

EVERYTHING is working with the vpn.
I can see all other sites on the vpn.
Each site has a Linux server terminating the openvpn connection to the main server, which also acts as the firewall for each site then.

SO, at site 1, if have

Laptop, connected to LAN switch, connected to eth1 on the linux server, and eth0 connected to ADSL router.

Linux server connects VPN, all 100%

Now, problem is

I want to RDP from the Laptop to a server behind the main server network on that internal lan. That is it !!

I can ping from my laptop any device inside the vpn network at any site, but can't make rdp connection to that server/pc. It must be firewall rules no ?

linuxgurusa · 11-26-2014, 09:52 AM

Some more info

If I log into the main (HQ) server that is the main server for the vpn, I am able to open a tcp connection to the site I am trying to connect to ??

telnet 192.168.9.5 3389 works 100% from HQ VPN server to Site1 RDP server
The tunnel is the normal 10.8.0.0/24 range (TUN)

If I do the same command from Site2, no joy as stated

Site2

telnet 192.168.9.5 3389 does not work

MY IP range is 192.168.99.0/24 (Site2)
Site1 IP range is 192.168.9.0/24

Both Site1 and Site2 can ping each other, even my Laptop (192.168.99.197) and the RDP server (192.168.9.5)

Same goes for all sites, same scenario bothe ways all over the place

From HQ to each site I can open the RDP stream ( telnet x.x.x.x 3389 ) But not from site to site

linuxgurusa · 11-27-2014, 03:35 AM

It was Firewall rules indeed.

On the Main VPN server the following rules needed for the VPN tunnels being created through it

$IPTABLES -A FORWARD -i tun0 -j ACCEPT # VPN TUN Interface
$IPTABLES -A FORWARD -i eth1 -j ACCEPT # Local LAN
$IPTABLES -A OUTPUT -j ACCEPT
$IPTABLES -A INPUT -i tun0 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -j ACCEPT

And rules on the client network firewall initiating one of the VPN links (branch server)

$IPTABLES -A FORWARD -i tun0 -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
$IPTABLES -A INPUT -i tun0 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -s 192.168.99.197 -d 0.0.0.0/0 -j ACCEPT # For default DROP policy firewall, My own IP (LAN)

Thanks for not helping