0

I have two distant places each with a public IP and I want to make the LAN network of these places as if they were one. That is, the machines in place A can communicate with the machines in place B and those in place B with those in place A.

In Place A (10.0.2.1) I have a ASUS AC 1200g+ and a Raspberry pi (10.0.2.60) with OpenVPN Server. New clients stays in interface tun0 ( 10.8.0.1 ). At this moment, the Client ( Place B ) can communicate with Place A's LAN, only traffic with destination 10.0.1.0/24 are redirected to the server side.

Now I want that machines in Place A (Server) can communicate with Place B's LAN. I place a Route in my Router that all destination requests with 10.0.1.0/24 are redirected to the Raspberry Pi VPN Server but the server dont know what to do it that traffic.

In Place B (10.0.1.1) I have a ASUS AC86U with ASUS Merlin firmware and I activate the OpenVPN client with "Inbound Firewall" enable option.

Network Schema

Dariko77
  • 3
  • 1

1 Answers1

0

I have a similar setup in which the raspberry pi is the client, but that should not matter too much. Disclaimer: It is not the easiest thing to set up.

I am using this /etc/iptables/iptables.rules file to NAT traffic from OpenVPN connections (usually tun0, but tun+ covers all) into the local networks:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth+ -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth+ -j ACCEPT
COMMIT

The OpenVPN configuration requires a so-called client-to-client configuration. These two lines in the servers OpenVPN-config enable the feature:

# use ccd-folder (per host configs)
client-to-client
# routing to office lan:
client-config-dir ccd

The client-config-dir must manually be created underneath the the /etc/openvpn/...-path where your config is. Within that folder you can then create per-host text files. The file naming is important: Double check how OpenVPN calls your client in the system log (e.g. with journalctl -xef --unit openvpn-server@somehost or in the openvpn-status.txt file). The contents of the file is simple:

ifconfig-push 10.10.99.18 255.255.255.255
iroute 192.168.0.0 255.255.0.0

would configure it to get the same IP every time it connects (10.10.99.18) and configures the VPN server to internally route traffic for 192.168.0.0/16 to the client with the name of this file and IP address. That makes it understandable, why we have no valid network connection yet: That is, because the host system of the VPN server does not know, that the VPN tunnel can be used to route traffic for that network (netstat -rn4). So we have to configure the VPN server again and append:

route       192.168.0.0 255.255.0.0
push "route 192.168.0.0 255.255.0.0"

to tell the server, that it should route traffic to 192.168.0.0/16 and all clients connected to the server should also be informed about the route - the route is pushed to the clients.

For my setup I used the link above, but while writing this answer I found two interesting links regarding the topic:

good luck :)

MaxC
  • 118
  • 5
  • Thank you very much! It Works!! I think that the only thing that was missing to me are the iptables rules. I add that and works fine! Thank you! – Dariko77 Jan 05 '21 at 20:34