Skip to main content
  1. Posts/

Note on OpenVPN Routing

·447 words·3 mins·
Administration note networking vpn security 100DaysToOffload
May Meow
Author
May Meow
MayMeow is a developer and cybersecurity enthusiast with a passion for cryptography, DevSecOps, and open-source contributions. They enjoy creating tools that strengthen digital security, blending creativity and technology to innovate in fields like PHP and .NET. Always exploring new frontiers in tech, MayMeow is dedicated to safeguarding the digital landscape through their work.
Table of Contents

Hi!. This one will be short. I should have created routing to my server from internet over OpenVPN. Problem was not with forwarding on itself, you can find a lot of tutorials on internet and basicaly you just need to follow them. Problem for me was that i have my server in clients network.

What you have to do on client?
#

  • Open /etc/default/ufw and change forward policy to ACCEPT,
  • Open etc/ufw/before.rules and add following code
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
# Add all interfaces you have on server
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

This allowing traffic from OpenVPN to eth0. If you have more interfaces which you want to allow just copy -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE and change interface name. Do not forget to change IP address ow your OpenVPN network. (It’s addres of network which is created betwen server and clients). ***Note if you have more network cards do not forget each you want to be able to access trough vpn -A POSTROUTING -s 10.8.0.0/8 -o eth1 -j MASQUERADE ***

This is all for client.

What you have to do on server?
#

Following tweaks has to be added to main server configuration file /etc/openvpn/server/server.conf.

  • Push route of any server-side networks you want to have accessibile trought the VPN.
push "route 10.66.0.0 255.255.255.0"
  • Enable directive for client config dir
client-config-dir ccd

If you will have problem with folder name like me add full path /etc/openvpn/ccd and create this folder.

  • Next add route to your client (change Ip address and mask if needed).
route 192.168.4.0 255.255.255.0
  • Next you need to create configuration file for client in our case client2. The name is based on client config file name. So if you have file with name client99.ovpn than the name should be client99.

So create file ccd/client1 with following content

iroute 192.168.4.0 255.255.255.0

This is address of you client’s network and it will tell to the server that the subnet 192.168.4.0/24 should be routed to client1

  • route directive controls the routing from kernel to OpenVPN serv via TUN or TAP interface
  • iroute controls routing from the OpenVPN server to the remoter clients.

What about more clients?
#

If you have more clients you want to access eachother’s network you can do this with following directive in server config file

client-to-client
push "route 192.168.4.0 255.255.255.0"

This will cause the server advertise our client1’s network to other connected clients. You can add other client’s network if you want.

More iformation you can find Here

This is my 100DaysToOffload 1/100 post.

Reply by Email

Related

Update User Guid to Match Existing User in Microsoft 365 Azure Ad
·352 words·2 mins
Administration guide notes microsoft wiki azure
Settig Up SSH Keys for Ubuntu
·681 words·4 mins
linux ubuntu security tutorials
Initial Server Setup on Cloud Services
·398 words·2 mins
Administration Fundamentals linux ubunutu tutorial