I did a tunnel system with OpenVPN to let a distant client act like a private network client to access private resources. It uses a client on the private network as a gateway.
DistantClient <-> OpenVPN server <-> PrivateNetworkClient
It works with a TAP tunnel, but TAP doesn't work with Android, is there a way to get the same thing with TUN ?
Actual configurations:
Distant client
OpenVPN client configuration file
client
dev tap
proto udp
remote XX.XX.XX.XX 1234
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
<ca>[...]</ca>
<key>[...]</key>
<cert>[...]</cert>
# private networks resolutions, 10.11.0.3 is the gateway-client IP on OpenVPN server
route 20.42.0.0 255.255.255.0 10.11.0.3
route 21.16.10.0 255.255.255.0 10.11.0.3
Gateway client
net.ipv4.ip_forward=1
enabled
IPTables rules
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -d 21.16.10.0/24 -i tap0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -d 20.42.0.0/24 -i tap0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
OpenVPN client configuration file
client
dev tap
proto udp
remote XX.XX.XX.XX 1234
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
<ca>[...]</ca>
<key>[...]</key>
<cert>[...]</cert>
# Private forward
route 21.16.10.0 255.255.255.0 20.42.0.1
Server
net.ipv4.ip_forward=1
enabled
IPTables rules
*filter
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 1234 -j ACCEPT
*nat
-A POSTROUTING -s 10.0.0.0/8 -o enp1s0 -j MASQUERADE
OpenVPN server configuration file
port 1234
proto udp
dev tap
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/work-server.crt
key /etc/openvpn/server/work-server.key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
server 10.11.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
explicit-exit-notify 1
push "explicit-exit-notify 1"
log-append /var/log/openvpn.log
verb 3
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-to-client