1

I set up a OpenVPN server for subnet 10.8.0.0/24 which has limited access to the internal network. Additionally I want to configure 10.8.1.0/24 manually with static IPs for selected clients to give them additional permission (e.g. SSH access).

Access control is done via iptables and works as expected.

Now I push a route to an external IP (in this example 10.10.10.10) with a webserver running on port 80 & 443.

When connecting to the VPN without a client specific configuration and thus getting an 10.8.0.0/24 IP I have no problems accessing the webserver on 10.10.10.10. I can see packages coming in on tun0 and leaving the server on p4p1 (external interface). When connecting to the VPN with a client specific configuraiton and thus getting an 10.8.1.0/24 IP I am able to ping all internal servers, but packages designated for 10.10.10.10 won't be relayed to any physical interface on the VPN server (checked in TCP dumps).

Regarding this an excerpt from the OpenVPN server configuration:

server 10.8.0.0 255.255.255.0
push "route 10.10.10.10 255.255.255.255"
client-config-dir /etc/openvpn/ccd
route 10.8.1.0 255.255.255.0
client-to-client
comp-lzo
persist-key
persist-tun

client-configuration /etc/openvpn/ccd/some-client:

ifconfig-push 10.8.1.133 10.8.1.134

As traffic is working via any specific route listed to the internal interface (p1p1) I guess that OpenVPN is not correctly redirecting traffic towards the default route going onto interface p4p1, but I don't know why it would do that and how it can be fixed.

Any suggestions?

Dero
  • 75
  • 1
  • 14
  • May be its the firewall (you can post the firewall rules). Check and make sure you have it right. Also you can check the routing easily with `route print` in windows (or `route -n` in linux) after connecting. Another point is if the Webserver is also aware of the ip range 10.8.1.0/24. – Diamond Oct 10 '17 at 11:34
  • From my firewall: `ACCEPT all -- 10.8.1.0/24 10.10.10.0/24`. Network 10.10.10.0/24 is reached through the default route, for it NAT is activated. `167K 24M MASQUERADE all -- any p4p1 anywhere anywhere` Still packages never go out through the default gateway or reach the remote system. – Dero Oct 10 '17 at 12:16

1 Answers1

1

As Diamant said, the webserver needs to have a route back to 10.8.1.0/24 through the VPN server as well. Alternatively, the VPN server will need to be configured to perform NAT for requests to the webserver.

Additionally, I'm not sure about this but you may need to add push "route 10.8.0.0 255.255.0.0" to your server config.

EDIT: The netmask in the server config bothers me. Instead of the suggestion above, try removing the server 10.8.0.0 255.255.255.0 line in the server config and adding this instead:

mode server
tls-server
ifconfig 10.8.0.1 255.255.254.0    # different netmask to support 10.8.1.0/24 range
ifconfig-pool 10.8.0.0 10.8.0.253
route-gateway 10.8.0.1
push "route-gateway 10.8.0.1"

EDIT2: added missing config lines

jvdmr
  • 136
  • 4
  • The back route shouldn't be the problem as no packages even reach the webserver. Also outgoing traffic goes through a NAT so the webserver doesn't see the 10.8.1.0/24 IP. – Dero Oct 10 '17 at 12:13
  • Right, you mentioned that in the original post but I forgot. I've changed my answer with a new suggestion. – jvdmr Oct 10 '17 at 12:44
  • I tried that configuration. When just removing `server` the server won't start as it requires that directive. Providing the `server` directive seems to be incompatible with `ifconfig-pool`. Message states, that pool was alread configured with `server` directive (regardless of wether or not a subnet was provided for server). With `server` and without `ifconfig-pool` directive the server starts, but routes are not correctly added on 10.8.1.0/24 subnet as 'Network is unreachable'. I also tried simply changing `server` directive to subnet `10.8.0.0 255.255.254.0` without any improvement. – Dero Oct 10 '17 at 13:52
  • I missed the `mode server` and `tls-server` lines. Remove the `server` line and add the lines above, I just tried it myself and this works (for me at least). – jvdmr Oct 12 '17 at 10:17
  • With `mode server` and `tls-server` I'm able to start the server and connect to it, yet `push "route-gateway 10.8.0.1"` leads to windows not being able to add routes as the gateway is not reachable. As this is part of a production network and can't stay offline for too long I'll set up a fast mock up of our network on my local machine to test this out. Will reach out again when I got more information. – Dero Oct 18 '17 at 07:51
  • Problem fixed. OpenVPN configuration was fine but in the iptables there was one entry setting a false interface forwarding. Noticed that when my local test confirmed your configuration was working. Thanks for the help! – Dero Oct 19 '17 at 07:22