I'm trying to use OpenVPN to set up a routed site-to-site VPN to connect two NAT-ed networks, roughly following the instructions here.
Network A uses the IP range 192.168.1.0/24. The router and OpenVPN server is 192.168.1.1 internally and has a static external IP.
Network B uses the IP range 10.0.1.0/24. The router is 10.0.1.1 internally and has a dynamic external IP. I have a Raspberry Pi I'm looking to use as a VPN client and gateway sitting at IP address 10.0.1.3.
The tricky thing is that the Network A router I'm trying to use as the OpenVPN server is a consumer-level TP Link Archer C6 v2 (AC1200). It provides only very limited configuration options in its web GUI: UDP or TCP (I chose UDP), port, subnet for clients (192.168.0.0/24), and whether clients should be able to access just the internal network or the internal network and internet. There is no way I know of to see (let alone change) a standard OpenVPN server configuration file. Nor is there a command line to set options on. It's very much oriented around the use case of accessing your home network and/or a trustworthy connection to the internet while out on the road.
So, my big question is thus: Is it even possible to set up a site-to-site VPN using this router as an OpenVPN server? Many of the configuration options are absent, but perhaps it's possible to work around them with iptables or some other tool on the gateway? I'd prefer to use the router if possible, since I'd otherwise have to deploy more hardware into network A, but possibly I'm just trying to do something that exceeds its capabilities.
To give some more detail on what I've tried so far, here's where I am:
I've been mostly following this to set up the Pi. You'll notice that, like all Pi VPN guides I've found so far, it's oriented around setting up a gateway to an internet proxy type VPN. Undoubtedly I've made mistakes trying to generalise it. Suggestions of guides that are closer to what I'm trying to do are most welcome.
The OpenVPN client configuration is:
client
dev tun
proto udp
float
nobind
cipher AES-128-CBC
comp-lzo adaptive
resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote [network A's external IP] [port]
#Added by me
log-append /var/log/openvpn.log
verb 4
user nobody
daemon
[certificates and keys omitted]
That allows the Raspberry Pi to connect; the tunnel endpoint is assigned the IP address 192.168.0.10.
Iptables is set up on the Pi as:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
This allows the Pi to ping and connect to the network A router, but nothing else in network A. Adding a route to network B's router that designates 10.0.1.3 as the gateway for 192.168.1.0/24 allows machines on network B to similarly ping and connect to the network A router, but nothing else. I used to be able to connect to other devices in network A, but I've broken it and I'm not sure how. The most annoying thing is that if I connect some other device (like my phone) to the VPN it can connect to other devices in network A.
The obvious problem with the iptables set up is that the first line sets up a NAT, which isn't what I want - I want devices in A to be able to see devices in network B. I tried changing to -j DNAT, but that didn't seem to help. I also tried replacing the first and third lines with iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT, but that didn't seem to work either. Adding a route to 10.0.1.0/24 via gateway 192.168.0.10 in network A's router causes all connections to break until it's removed, presumably because replying packets slam into a NAT and/or the Pi doesn't know to forward them from tun0 to eth0. Is there a way to transfer packets back and forth more or less transparently with iptables, or is that the sort of thing I must have control of the OpenVPN server to do?
