0

I know that this title seems to be "over answered", but really I had no luck while searching...

EDIT: I've updated the diagram and the question, to be more precise

To better explain my situation, here is a little diagram:

enter image description here

I'm trying to have "PC Home" acting like "PC Work": - browsing all sites that should be unavailable from other network than 10.42.0.x - SSH other local client on 10.42.x.x network - Use DNS provided by work network (for custom TLD)

In other word, I want that PC Home "become" PC Work.

I know it's possible with 2 clients connected to one OpenVPN intermediary (Client OpenVPN on PC Home -> OpenVPN Server -> Client OpenVPN on PC Work -> Use network from PC Work).

But I have a really low knowledge of network infrastructures...

Could somebody explain to me how to to this ? (TAP instead of TUN ? Maybe client-to-client connection ? Iptables rules to forward ?)

Oh, I forgot ; I'm working on Linux, PC Home is on Ubuntu 18.04 (but should work with any OS), OpenVPN Server on Ubuntu 18.04 too, and PC Work is on Raspbian :)

Thanks ! Some actual configuration files:

Server configuration file :

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

In IPP file I specify VPN IP for Client Home and Client Work (10.8.0.10 and 10.8.0.20). IP Forwarding is enabled on server. On server /etc/ufw/before.rules, I added these lines :

*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

Tell me if I miss some other useful things :)

Thanks !

Doubidou
  • 131
  • 4
  • Could you please show more of your vpn configs and lan configs? For added security you can mask public IPs you use and omit certificates. Also, your diagram confuses things for me. Your client2 accesses VPN through routerB or whatever? If so, why routerB wasn't drawn between server and client1? Same for client1. – Nikita Kipriyanov Sep 10 '19 at 12:51
  • @NikitaKipriyanov You right, I want help with the diagram but it's worst... What I want is to browse internet with client 1 like I was client 2 (access to private website, DNS resolving, etc.) – Doubidou Sep 10 '19 at 13:03
  • @davidgo commented under answer below is right: you'll need some iroutes to tell router inside openvpn process where to route which packets. I could add that these iroute commands go to client-dependent config files inside client-config-dir. So for us to be more concrete show us your vpn configs, only things you have to omit are public ip's, certificates and keys. Until that we only can literally repeat things from openvpn manual, but you can read it without our mediation (btw, that's always a good idea, do "man openvpn" on ubuntu). – Nikita Kipriyanov Sep 11 '19 at 05:47

1 Answers1

0

Normally for network to network connections OPENVPN creates its own network that connects the nodes (10.8.0.0/MASK).

You will have two OPENVPN machines, one at each end, one server and one client.

These machines will also be connected to the networks at each end, 192.168.0.0/MASK and 10.42.0.0/MASK seem to be your case.

From the two OPENVPN machines you can reach the other end, that is, from 10.8.0.10 you can ping the 10.8.0.20

If so, I think you have to do 3 things to route traffic to remote networks.

1- Activate IPFORWARD on both servers

 echo 1>/proc/sys/net/ipv4/ip_forward

2- Add routes on your routers, something like this

RouterA: 

ip route add 10.42.0.0/MASK via 192.168.0. [OPENVPN ip]

RouterB: 

ip route add 192.168.0.0/MASK via 10.42.0.0. [OPENVPN ip]

3- You should already have them, but at each end you should also have on the OPENVPN servers a route to get to another side, something like

OpenVPN1: 

ip route add 10.42.0.0/MASK via 10.8.0.10

OpenVPN2: 

ip route add 192.168.0.0/MASK via 10.8.0.20

This way you tell your OPENVPN servers to route networks and how to get to them.

I hope I've helped.

asterissco
  • 46
  • 6
  • 1
    I dont think this fully answers the question, and I expect that forwarding has already been enabled based in the picture. What is likely necessary is some push statements and some iroute statements so that openvpn can advertise appropriate routes and know what is internal. We really need to see the configs. – davidgo Sep 10 '19 at 19:01
  • I updated my question ; when you say "Add routes... Router A & Router B", you mean on Client 1 and Client 2 ? – Doubidou Sep 12 '19 at 06:42
  • I say about routers of clients. – asterissco Sep 12 '19 at 09:15
  • Okay... So I've edited the question to be more precise. I cannot control "routers", and I only have one distant OpenVPN server and one client on each PC ; is the diagram more clear ? Thanks ! – Doubidou Sep 13 '19 at 06:48