On Tue, 8 Mar 2022 08:54:01 +0100, Gert Doering <g...@greenie.muc.de> wrote:
>Hi, > >On Tue, Mar 08, 2022 at 08:45:27AM +0100, Bo Berglund wrote: >> OK so let me see: >> The client (the RPi4) is getting a route on to the server side LAN. That >> happens >> on *all* of my clients, I guess thanks to this server side directive: >> >> push "route 192.168.119.0 255.255.255.0" #Local LAN >> >> The client itself gets a DHCP assigned address from this: >> >> ifconfig-pool 10.8.139.2 10.8.139.127 255.255.255.0 >> >> So since it is on a different network than my home LAN then in order for the >> server side device to connect to the VPN client it will need a route to the >> 10.8.139.x network, which is via the OpenVPN server... > >Right. > >> I guess that if I want to be able to use this then I have to either add a >> route >> specifically on the device needing the connection which is targeting the >> OpenVPN >> server, right? I don't know how to do this. > >If it's a windows box, run "route add ..." from cmd.exe - if it's a >linux box, run "ip route add ...". On Windows, this can be auto-persistent >(route add /p, if I remember right), on Linux you need to find out where >in /etc/ your distribution expects static routes. > >> Or else I could add a route on the server side router for that VPN network >> like >> I did when connecting my two LAN:s together as described in the previous >> thread. > >Yep. Same thing: make sure all devices know where to send packets "to the >other side" to. I will go this router-route way then so it does not matter which device on the home LAN I use to talk to the connected client through. And I will use ccd commands to set the client's tunnel address to a known value. (Which will be outside the server's tunnel DHCP range to avoid possible collisions.) >> But how do I need to prepare the OpenVPN server such that it will actually >> accept this routing call? > >There is no "routing call". Routing is done individually on each involved >device - so, if the OpenVPN server can reach the VPN client (RPi), then >routing is fine. > >You might need to enable IP forwarding (/etc/sysctl.conf) for it to forward >packets coming in from other hosts . I already have this in that file (as part of setting up the OpenVPN server at the beginning): net.ipv4.ip_forward=1 >> An iroute setting in the server conf file or a new ccd entry with the iroute? > >iroutes will only be needed if you need to make a "network behind a VPN client" >known to the VPN Server. If you do pools only, the VPN server already knows. I had to do that in order for the connection to the remote LAN behind the client to work. But since it is now about connecting to a client's tunnel address I figured there would be some other setting needed. My IPTABLES are set as follows on the OVPN server: # Generated by iptables-save v1.8.4 on Tue Mar 8 11:50:28 2022 *nat :PREROUTING ACCEPT [1343362:193943601] :INPUT ACCEPT [596812:115289779] :OUTPUT ACCEPT [837499:76350000] :POSTROUTING ACCEPT [870928:79291578] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.139.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Tue Mar 8 11:50:28 2022 # Generated by iptables-save v1.8.4 on Tue Mar 8 11:50:28 2022 *filter :INPUT ACCEPT [140926446:169398823782] :FORWARD ACCEPT [180058449:231184079442] :OUTPUT ACCEPT [227125196:294858677166] COMMIT # Completed on Tue Mar 8 11:50:28 2022 Incidentally the 10.8.0.0/24 is there from "way back when" during my first installation of the OVPN server... I have later moved away from the cook-book suggestions to use 10.8.0.x as the network. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users