On 14/03/19 17:14, sergio wrote:
Hello.
I've already tried to discuss this in IRC as I thought it's simple and
short question, but it seems that it is not.
The sort question is:
"Is it true, that making one client to be default gateway for another
client is impossible with routed setup (OK, without NAT on vpn
server), and this is another argument for bridged setup, not listed in
BridgingAndRouting doc?"
as Gert said, the short answer to this question is : No, it's perfectly
well possible to set this up using a routed setup
Is it possible (and how) to do this with routed setup? (Without
NAT'ing on server as it's not pure routed setup.)
Routed setup example:
openvpn server : 10.0.1.1, network : 10.0.1.0/24
client A : 10.0.2.1, network : 10.0.2.0/24
client B : 10.0.3.1, network : 10.0.3.0/24
Ping from 10.0.3.17 (the host behind B) to 10.0.2.32 (the host behid
A) works fine.
I can route 1.1.1.1 from 10.0.3.0/24 via 10.0.1.2 by adding:
ip r add 1.1.1.1 via 10.0.1.1 (on client B)
iroute 8.8.8.8 255.255.255.255 (to ccd/A on the server)
The question is how to route all traffic from 10.0.3.0/24 via 10.0.1.2
to the internet?
When I do `ip route replace default via 10.0.1.2` on 10.0.3.1 the
traffic goes out via 10.0.1.1 and doesn't reach 10.0.1.2, of course.
that will be mostly a matter of return routes not being processed
correctly. Esp for internet routing, *someone* will end up NATting traffic.
How to set this up:
- first make sure that the LAN behind your GW client is accessible from
the other client
- then try adding GW routing by adding some manual routing *and* add a
return route on the gw-client LAN so that it knows that network 10.0.1.1
is to be found "behind" the gw-client
I'd recommend to *not* use client-to-client for this during debugging,
but use ip forwarding on the VPN server instead. That way, you can watch
the flow of traffic on the server using tcpdump/wireshark
client2 <-> VPN server <-> gw-client <-> internet
HTH,
JJK
=== client.conf:
client
remote IP
proto tcp
dev-type tun
tls-client
remote-cert-tls server
ca
cert
key
=== server.conf:
local 0.0.0.0
port 1194
proto tcp-server
dev-type tun
persist-tun
topology subnet
tls-server
ca
key
cert
dh
mode server
ifconfig 10.0.1.1 255.255.255.0
client-config-dir ccd
client-to-client
push "topology subnet"
push "route-gateway 10.0.1.1"
push "route 10.0.1.0 255.255.255.0"
push "route 10.0.2.0 255.255.255.0"
push "route 10.0.3.0 255.255.255.0"
route 10.0.2.0 255.255.255.0 10.0.1.2
route 10.0.3.0 255.255.255.0 10.0.1.3
=== ccd/A
ifconfig-push 10.0.1.2 255.255.255.0
iroute 10.0.2.0 255.255.255.0
=== ccd/B
ifconfig-push 10.0.1.3 255.255.255.0
iroute 10.0.3.0 255.255.255.0
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
