Tony's ramblings on Open Source Software, Life and Photography

Making OpenVPN Route Both Ways With TUN

Published October 5, 2009, 10:00 am | by tony

You may recall this article from last February where I described how to set up an OpenVPN server in Ubuntu.

One thing that's bothered me ever since that day is that the client could contact everything on the server's network but not vice-versa. I searched for answers for quite some time and finally gave up.

I just stumbled on the answer, and it's a really easy solution to the problem. I'm already using custom client configs, and there's only one client that I wanted dual routing with - our accounting office in Virginia.

Here's a few assumptions. Let's say the primary network with the OpenVPN server uses 192.168.1.0/24. The OpenVPN client network that's going to keep a constant link is using 192.168.2.0/24.

In the server's "server.conf" file you need the following two lines:

route 192.168.2.0 255.255.255.0
client-to-client

In the client config file (also on the server) add the following:

push "route 192.168.1.0 255.255.255.0"
iroute 192.168.2.0 255.255.255.0

Don't forget you need to configure one or both firewalls to allow the traffic.

What this does on the server is say - when we see a client with network 192.168.2.0/24 connect, allow us to contact it, but only if the client allows it.

The iroute entry in the client config file then says allow our internal network to be contacted by the other end.

And there you have it - full ping directly to 192.168.1.0/24 from 192.168.2.0/24 and vice-versa!


Categories:
OMEN's picture

Typo

Submitted by OMEN (not verified) on Mon, 12/07/2009 - 17:53.

Great tip, thank you.

typo
push "route 192.168.1.0 255.255.255.0"
iroute 192.168.2.0 255.255.255.0

should be

push "route 192.168.1.0 255.255.255.0"
route 192.168.2.0 255.255.255.0

openvpn client burps up errors otherwise.

tony's picture

Actually not true - the

Submitted by tony on Tue, 12/08/2009 - 16:29.

Actually not true - the iroute command sets the "inbound" route and is a standard setting for OpenVPN 2.

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html#scope

Scroll on down from there and you'll see the iroute command listed.

But, if you try to use iroute inside the main openvpn server config file, yes it will error - but read again - that's not where it goes.

Anonymous n00b's picture

Not sure why this is working

Submitted by Anonymous n00b (not verified) on Sun, 10/17/2010 - 15:46.

Not sure why this is working for anyone but I had to use the line:

iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.1/24 -j MASQUERADE

otherwise there would be no internet on the vpn

tony's picture

I typically tell OpenVPN to

Submitted by tony on Tue, 10/19/2010 - 15:39.

I typically tell OpenVPN to NOT set itself up as the default route for connected clients - that way they use their own Internet for regular browsing and my tunnel just for the servers / services I need them to get over the VPN.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account associated with the e-mail address you provide, it will be used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <br> <p>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for preventing automated spam submissions. It is case sensitive.
Image CAPTCHA
Enter the characters shown in the image.