0

I setup a OpenVPN server (VPN ip=10.8.0.1) on a Server with public ip. And I have a workstation(Ubuntu) in my laboratory with school ip that can access intranet resources of school.

I want my Android Phone and Windows PC can access the that resources. So I:

  • OpenVPN server config:

    dev tun
    topology subnet
    server 10.8.0.0 255.255.255.0
    client-config-dir /etc/openvpn/server/ccd
    push "route 10.8.0.0 255.255.255.0"
    push "route-gateway 10.8.0.3"

  • Connect my workstation to server and get a ip 10.8.0.3, its ccd config (equivalent to client config ) is:

    ifconfig-push 10.8.0.3 255.255.255.0

  • In workstation, used iptables and added some items:

    $ sudo iptables -t filter -S
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    $ sudo iptables -t nat -S
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    -A POSTROUTING -s 10.8.0.0/24 -o wlx0810752b55c9 -j MASQUERADE

  • The ccd config of my pc at home is:

    ifconfig-push 10.8.0.5 255.255.255.0
    push "route-gateway 10.8.0.3"
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8"

  • Result1 The pc cannot connect to internet. The route table of that pc is:

    route print -4
    0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.21 35
    0.0.0.0 128.0.0.0 10.8.0.3 10.8.0.5 291
    128.0.0.0 128.0.0.0 10.8.0.3 10.8.0.5 291

the latter two item is what "redirect-gateway def1" added, without remove the original default gateway. I am curious that why def1 works to redirect traffic? Because the original default gateway is still there and with a better metric, thus no traffic would go through VPN.

  • Result 2 My Android Phone cannot too.

    $ busybox ip route show table all
    default via 10.183.93.203 dev ccmni0 table 1002
    default dev tun0 src 10.8.0.4
    10.8.0.0/24 dev tun0 table 1015
    10.8.0.0/24 dev tun0 src 10.8.0.4 ...

I made sure that the workstation didn't receive the traffic:

$ sudo tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
$

I have go through much topics about this with no working solution. So, anyone can help me, any suggest is appreciated!

Improve this question
1
  • do you have client to client enabled on the openvpn server config?
    – Timmy Browne
    Commented Apr 2, 2018 at 5:57

1 Answer 1

Reset to default
-1

In the ccd directory in the server the workstation file should contain iroute Try that please, I'm trying to do the same thing without using the access server and using a linux client as gateway as shown here https://www.youtube.com/watch?v=b7qr0laM8kA

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .