On 10/2/22 7:42 AM, Bo Berglund wrote:
6 months ago or so I have set up a system where I have two fiber connected LAN
segments in different locations tied together with OpenVPN into one single LAN
using addresses 192.168.117.x and 192.168.119.x.
Point of semantics...you don't have one single LAN you simply have
routed connections between two subnets. One single LAN would imply
you're bridging and both segments are on 192.168.117.x or other
other...but that aside
So now I wonder how I should set up the OpenVPN server on the main LAN such that
if a client wants to talk to a device on the 117 segment it can actually reach
it?
* You need to push the route down for .117 otherwise your connected
mobile client has no idea what to do with .117 traffic.
* Use a CCD file to give your mobile client the same IP from the pool.
* Then use IPtables or equivilant to NAT the mobile clients pool
assigned IP address to the .119 address of the server thus it can
participate with the site to site configurations without the 117 side
needing routing for the pools subnets.
The server is set up for a split tunnel such that if a client addresses the
server side LAN it will route through the tunnel but for Internet traffic it
should use the local gateway directly.
Now I think that it is actually doing this for traffic to LAN segment 117 too
and this is what I would like to change.
Here is my server side conf file:
# this is the config for local only access
port 1190
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0
topology subnet
server 10.8.139.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.139.2 10.8.139.127 255.255.255.0
ifconfig-pool-persist ipplocal.txt
push "route 192.168.119.0 255.255.255.0" #Local LAN access
push "dhcp-option DNS 192.168.119.1" #Local server
push "dhcp-option DNS 208.67.220.220" #Public server
keepalive 10 120
cipher AES-256-CBC
#Disable compression and push this to the client
comp-lzo no
push "comp-lzo no"
# This is needed for site-to-site routing via remote Router
client-config-dir /etc/openvpn/ccdl
route 192.168.117.0 255.255.255.0
# Allow other clients to the server to also reach remote
client-to-client
push "route 192.168.117.0 255.255.255.0"
# end site-to-site routing
max-clients 20
persist-key
persist-tun
status /etc/openvpn/log/ovpn-status_local.log
log /etc/openvpn/log/ovpn_local.log
verb 4
mute 10
explicit-exit-notify 1
push "explicit-exit-notify 1"
It seems like the following line does not affect the connected VPN clients on
the server LAN:
route 192.168.117.0 255.255.255.0
What could I change to make it work?
Can this line be modified to encompass a larger subnet maybe?
push "route 192.168.119.0 255.255.255.0" #Local LAN access
for example 192.168.116.0/22 (covering 116, 117, 118, 119)
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
