The goal is to have main OpenVPN server and multiple OpenVPN subnets that are reachable for main server clients. All subnets' servers are clients of the main server too.
Here are configs:
- main server config
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.0.0.0 255.255.0.0
push "route 10.0.0.0 255.255.0.0"
push "route 10.1.0.0 255.255.0.0"
client-config-dir ccd
client-to-client
keepalive 10 120
tls-server
tls-auth ta.key 0
comp-lzo
ccd/subserver1
ifconfig-push 10.0.0.6 10.0.0.5
iroute 10.1.0.0 255.255.0.0
- subserver config (as main server client)
client
dev tun
proto udp
remote <ip> 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert subserver1.crt
key subserver1.key
tls-client
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 3
pull
- subserver config (as subnet server)
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.1.0.0 255.255.0.0
push "route 10.0.0.0 255.255.0.0"
push "route 10.1.0.0 255.255.0.0"
client-to-client
keepalive 10 120
tls-server
tls-auth ta.key 0
comp-lzo
persist-key
persist-tun
- IP tables rules on the main server
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE
I suppose, something is missing in the iptables, I don't have enough experience to figure this out. The easiest thing should be using push "dhcp-option DNS 10.1.0.1"
option in the main server config. Is there any way to setup DNS server over OpenVPN server? Or any other way to handle this?
UPDATE (2.03.2016)
Here is what I've managed to achieve: Network diagram
Main server routes:
0.0.0.0 <external ip> 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 10.0.0.2 255.255.0.0 UG 0 0 0 tun0
10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.1.0.0 10.0.0.2 255.255.0.0 UG 0 0 0 tun0
10.2.0.0 10.0.0.2 255.255.0.0 UG 0 0 0 tun0
Subserver1 routes:
0.0.0.0 <external ip> 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 10.0.0.5 255.255.0.0 UG 0 0 0 tun1
10.0.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.1.0.0 10.1.0.2 255.255.0.0 UG 0 0 0 tun0
10.1.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.2.0.0 10.0.0.5 255.255.0.0 UG 0 0 0 tun1
Client1 routes:
0.0.0.0 <external ip> 0.0.0.0 UG 0 0 0 eth0
10.1.0.0 10.1.0.5 255.255.0.0 UG 0 0 0 tun0
10.1.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
With this I could ssh to the subservers from the superuser using both tun0 and tun1 ips (and this confuses me a lot). After that I could connect to the clients, but there is now direct connection. I'm sure I've missed last step, but can't figure it out.
iptables -A FORWARD -s 10.0.0.0/16 -d 10.1.0.0/16 -j ACCEPT
on the subserver1 changed nothing.
UPDATE (3.03.2016)
- Main server:
root@stage:~# iptables -L -nv
Chain INPUT (policy ACCEPT 212K packets, 40M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
74 5416 ACCEPT all -- tun0 eth0 10.0.0.0/16 10.1.0.0/16 ctstate NEW
Chain OUTPUT (policy ACCEPT 223K packets, 34M bytes)
pkts bytes target prot opt in out source destination
root@stage:~# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 9664 packets, 695K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 9641 packets, 694K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 29987 packets, 2269K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 29828 packets, 2260K bytes)
pkts bytes target prot opt in out source destination
179 11363 MASQUERADE all -- * * 10.0.0.0/16 10.1.0.0/16
All other machines don't have any iptables' rules.