1

I have two networks.

First network: 192.168.10.0/24 (router TP-LINK [192.168.10.10] and RPI [192.168.10.17])
Secound network: 192.168.15.0/24 (only one RPI [192.168.15.10])

I would like site-to-site OpenVPN with 2 raspberry pi.

On the first network I have installed OpenVPN server, configuration:

server 10.10.10.0 255.255.255.0
verb 3
<keys>
client-config-dir /etc/openvpn/ccd
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
port 1194
dev tun0

user nobody
group nogroup

### Route Configurations Below
route 192.168.15.0 255.255.255.0

### Push Configurations Below
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.15.0 255.255.255.0"

ccd file named client3 (name is ok, I see line in logs when openVpn started):

iroute 192.168.15.0 255.255.255.0
#push "route 192.168.10.10 255.255.255.0 vpn_gateway"

RPI server routing table:

rafal@raspberrypi:~ $ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.10.10   0.0.0.0         UG        0 0          0 eth0
10.10.10.0      10.10.10.2      255.255.255.0   UG        0 0          0 tun0
10.10.10.2      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.15.0    10.10.10.2      255.255.255.0   UG        0 0          0 tun0
+ a lot of docker subnets like:
xxx.21.0.0      0.0.0.0         255.255.0.0     U         0 0          0
xxx.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0

On server side I also configure TP-Link router. I added route:
Network Destination | Subnet Mask | Default Gateway
192.168.15.0 | 255.255.255.0 | 192.168.10.17

On client site I have complicated situation. RPI have:

  • ppp0 connection (to Internet)
  • eth0 LAN [192.168.15.10] and network 192.168.15.0/24
  • eth0 WLAN [192.168.16.10] and network 192.168.16.0/24
  • OpenVPN Client

OpenVpnClient configuration:

client
nobind
dev tun
remote-cert-tls server

remote my_address 1194 udp

<keys>
key-direction 1

redirect-gateway def1

RPI client routing table:

rafal@raspberrypi:~ $ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 ppp0
10.10.10.1      10.10.10.5      255.255.255.255 UGH       0 0          0 tun0
10.10.10.5      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.64.64.64     0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
192.168.10.0    10.10.10.5      255.255.255.0   UG        0 0          0 tun0
192.168.15.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.16.0    0.0.0.0         255.255.255.0   U         0 0          0 wlan0

I have connection between RPI's. I can ping from subnet 192.168.10.0 (from any client) to 192.168.15.0 (any client), but client from 192.168.15.0 can only ping RPI (192.168.10.17). RPI (192.168.15.10) can only ping to 192.168.10.17 (rpi server).

How route should be added to RPI route table? Whats going wrong?

Improve this question
3
  • Could someone help?
    – Rafal
    Commented Oct 12, 2023 at 23:04
  • I found solution: iptables on RPI server block packages/connection. I added: sudo iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
    – Rafal
    Commented Nov 5, 2023 at 3:42
  • Masquerade is only for WAN interfaces - why is it believed this is the solution?
    – JW0914
    Commented Dec 30, 2023 at 12:33

1 Answer 1

Reset to default
0

I found solution: iptables on RPI server block packages/connection.
I added on RPI server:
sudo iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

Improve this answer
1
  • 1
    Masquerade is only for WAN interfaces - it shouldn't be used for non-WAN interfaces for various reasons
    – JW0914
    Commented Dec 30, 2023 at 12:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .