VPN creates me subnets

Question

VPN creates me subnets

Navigation

#1 by (1 votes)

1

Good morning, I am installing a VPN server in such a way that I have two virtual machines, one of them has the OpenVPN service and the other has an Apache service running, both machines are in the same network segment 10.8.0.1 ( VPN) and 10.8.0.3 (Apache) the Apache virtual machine does not have Internet access while VPN does, we have a static address and a redirected port on the Router.

This is our configuration of the server.conf file:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpn.crt
key /etc/openvpn/easy-rsa/keys/vpn.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.220 255.255.255.0"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb1

When establishing a VPN connection from the client, either Windows or OSx connects us perfectly, even navigates on the Internet from this new public IP, but nevertheless is unable to ping the machine that has Apache and that thanks to the VPN it is already within its own network. It's as if OpenVPN every time someone connects to make small subnets, since the network mask that assigns the client is always 255.255.255.252

vpn redes

asked by Ramón Devesa 12.09.2017 в 10:12

source

1 answer

Overwrite Django's logout method Concatenate columns in oracle

score 1 · Accepted Answer

Description

The main problems you suffer are two:

Use the same range of IPs for the LAN as for the VPN clients.
Have the client-to-client option enabled, preventing packages that go to the range of IPs in the VPN from the openvpn server.

Proposed solution (1)

I would suggest changing the network topology of net30 to subred to facilitate the management, but if you do not want to make many changes I propose only the following:

server 10.9.0.0 255.255.255.0
ifconfig 10.9.0.1 10.9.0.2

This way the VPN will assign IPs outside the LAN range and, therefore, you will not have problems to communicate with the machines of this one (whatever the configuration of client-to-client ).

Now you must add the static route to the Apache machine so that you know how to reach the VPN clients in the following way:

ip route add 10.9.0.0/24 via 10.8.0.1

Once these changes are made, you should have bidirectional connectivity between your VPN client and the Apache server.

The best tool to debug traffic routing problems in IP networks is traceroute .

To check the hops and the correct arrival of the packages use from your VPN client:

traceroute -n 10.8.0.3

And from your Apache server you can check the reverse route with:

traceroute -n 10.9.0.2

The main disadvantage of this system is that, by not wanting Internet access on the Apache server and not wanting to configure a default route, you have to add a static route so you know how to reach VPN clients.

Proposed solution (2)

In order to avoid having to add static routes in the Apache server, NAT can be used for VPN clients to contact it using the LAN IP of the VPN server.

To the previous solution (without adding static route in the Apache server) we would have to add the following iptables rule to the VPN server:

iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j MASQUERADE

The main disadvantage of this system is that in the eyes of the Apache server the connections are established by the VPN server, so we can not differentiate which VPN client in particular is a connection.

Final configuration file

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpn.crt
key /etc/openvpn/easy-rsa/keys/vpn.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.9.0.0 255.255.255.0
ifconfig 10.9.0.1 10.9.0.2
push "route 10.8.0.0 255.255.255.0"
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb1