0

I have the following openvpn setup, the goal is to make host D can connect to any of the computer(linux) in the corporate network to do some maintaining job: 

        corporate network                           remote vpn server
=============================================      =====================
    A                B          C(vpn client)      D(vpn server)
10.0.10.101 ---- 10.0.10.100                   |
                 10.0.51.100 ---- 10.0.51.101  |
                                  10.8.1.2  ---|-- 10.8.1.1
                                               |

host B route table:

10.8.1.0/24 via 10.0.51.101

host C route table:

10.0.10.0/24 via 10.0.51.100

host D route table:

10.0.10.0/24 via 10.8.1.2
10.0.51.0/24 via 10.8.1.2

The openvpn is being setup with subnet topology, which links corporate network subnet 10.0.51.0/24.

My purpose is to make host D can link with host A, here is the progress I made:

  1. B ping through D(10.8.1.1): OK
  2. D ping through B(10.0.10.100): Failed
  3. D ping through B(10.0.51.100): OK
  4. B ping C 10.0.51.101/10.8.1.2: OK
  5. C ping B(10.0.10.100/10.0.51.100): OK

It seems that route 10.0.10./24 via 10.8.1.2 being ignored when doing traceroute. How can I setup to make the host D on subnet 10.0.51.0/24 link to 10.0.10.0/24?

Improve this question
2
  • Are you using OpenVPN in tun or tap mode?
    – grawity_u1686
    Commented Sep 13, 2019 at 6:01
  • It's in tun mode
    – georgehu
    Commented Sep 13, 2019 at 17:27

1 Answer 1

Reset to default
0

OpenVPN's tun interfaces are layer 3 only – they do not use anything like MAC addresses, and packets sent through them do not have a layer-2 header.

This means that the kernel actually has no way to select which gateway to use when sending packets over a tun interface, and all your via 10.8.1.x routes just act like they were dev tun0 routes.

To solve this, the VPN server software itself (i.e. the receiving end of the tun interface) needs to have its own internal routing table mapping destination addresses to clients, and in OpenVPN this is called "iroute".

  1. You need to use client-config-dir on server D to be able to specify per-client configuration (as OpenVPN decided to make iroutes client-based, without the ability to specify a gateway IP).

  2. In the server's per-client config file for host C, add the options iroute 10.0.10.0 255.255.255.0 and iroute 10.0.51.0 255.255.255.0.

The same applies to all layer-3 VPNs. (For example, WireGuard uses AllowedIPs= to route destinations to different clients on the same interface.)

Improve this answer
1
  • 1
    It works like this: the operating system's routing will get the traffic to the OpenVPN gateway. But it knows nothing of how the various OpenVPN clients are configured. iroute then tells OpenVPN which remote client to send the traffic to for its "next hop."
    – Mike Robinson
    Commented Mar 13, 2020 at 19:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .