OpenVPN and KVM Virtual Network

Question

I'm setting up OpenVPN to be able to connect from home to my office's server.

On this server, KVM is installed and some VM are running on it. I've created a NAT virtual network 172.16.0.0/24. I want the VPN client to be on same network of my VMs.

When i connect to VPN from my client, 2 things are disturbing me :

I want specific IP address scope given by OpenVPN (like 172.16.6.1 to 172.16.7.254). How to do this ?
I can't reach VM, even by pinging them. Is there specific routes to add or anything else ?

Here is the OpenVPN server configuration :

    # OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/adoc-vpn-server.crt
key /etc/openvpn/server/adoc-vpn-server.key

#DH and CRL key
dh /etc/openvpn/server/dh.pem
#crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 172.16.0.0 255.255.0.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 172.16.0.10"
push "dhcp-option DOMAIN adoc.local"

#Enable multiple client to connect with same Certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody

# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

Any help will be grateful ! Thank you.

Actually, clients gets 172.16.0.x (172.16.0.6 most likely) but I want to change it because other VM runs in this scope. — Julien Guillot, Jun 21 '19 at 00:00
If i remeber well change server 172.16.0.0 255.255.0.0 to server 172.16.1.0 255.255.0.0 — djdomi, Jun 26 '19 at 04:51
I tried but when I want to restart OpenVPN service, it fails. If I rollback changes, it restarts successfully. — Julien Guillot, Jun 27 '19 at 00:57

score 0 · Answer 1 · answered Apr 08 '21 at 20:43

I've been able to resolve the problem with a great automated install of OpenVPN through https://github.com/angristan/openvpn-install. The installation uses the address space 10.8.0.0/24 and my VPN server is connected to two libvirt networks with 172.27.48.64/26 and 172.27.48.128/25 address space.

/etc/openvpn/server.conf:

port 1194
proto udp
dev tun0
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 172.28.48.66 255.255.255.192 # << only change this line
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 172.27.48.129" # automatically generated from VPN server
push "dhcp-option DNS 172.27.48.65" # automatically generated from VPN server
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_###########.crt
key server_###########.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

score 0 · Answer 2 · answered Jun 27 '19 at 01:08

0

I've been able to resolve one of my problems, about the DHCP scope -> Changing openvpn dhcp pool

But VPN client still don't ping VM or other hosts of the network. Maybe a route to add... Someone knows ?

answered Jun 27 '19 at 01:08

Julien Guillot

3
2

OpenVPN and KVM Virtual Network

2 Answers2