3

I did a tunnel system with OpenVPN to let a distant client act like a private network client to access private resources. It uses a client on the private network as a gateway.

DistantClient <-> OpenVPN server <-> PrivateNetworkClient

It works with a TAP tunnel, but TAP doesn't work with Android, is there a way to get the same thing with TUN ?

Actual configurations:

Distant client

OpenVPN client configuration file

client
dev tap
proto udp
remote XX.XX.XX.XX 1234

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
<ca>[...]</ca>
<key>[...]</key>
<cert>[...]</cert>

# private networks resolutions, 10.11.0.3 is the gateway-client IP on OpenVPN server
route 20.42.0.0 255.255.255.0 10.11.0.3
route 21.16.10.0 255.255.255.0 10.11.0.3

Gateway client

net.ipv4.ip_forward=1 enabled

IPTables rules

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -d 21.16.10.0/24 -i tap0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -d 20.42.0.0/24 -i tap0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
*nat
-A POSTROUTING -o eth0 -j MASQUERADE

OpenVPN client configuration file

client
dev tap
proto udp
remote XX.XX.XX.XX 1234

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
<ca>[...]</ca>
<key>[...]</key>
<cert>[...]</cert>

# Private forward
route 21.16.10.0 255.255.255.0 20.42.0.1

Server

net.ipv4.ip_forward=1 enabled

IPTables rules

*filter
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 1234 -j ACCEPT
*nat
-A POSTROUTING -s 10.0.0.0/8 -o enp1s0 -j MASQUERADE

OpenVPN server configuration file

port 1234
proto udp
dev tap

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/work-server.crt
key /etc/openvpn/server/work-server.key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem

server 10.11.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"

cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
explicit-exit-notify 1
push "explicit-exit-notify 1"
log-append /var/log/openvpn.log
verb 3

ifconfig-pool-persist /etc/openvpn/ipp.txt
client-to-client
Doubidou
  • 131
  • 4

0 Answers0