Openvpn two server conf connect each other

cybermailer · March 22, 2021, 12:04pm

Hi,

i have successfully two server configurations for openvpn using this:

config openvpn 'myvpn'
        option enabled '1'
        option verb '3'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option server '10.8.0.0 255.255.255.0'
        option keepalive '10 120'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/vpn-server.crt'
        option key '/etc/openvpn/vpn-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option client_to_client '1'
        list 'push' 'redirect-gateway def1 bypass-dhcp'
        option persist_key 1
        option persist_tun 1
        option user nobody
        list 'push' 'dhcp-option DNS 192.168.1.1'
        list 'push' 'route 192.168.1.0 255.255.255.0'
        list 'push' 'route 10.9.0.0 255.255.255.0'

config openvpn 'myvpntcp'
        option enabled '1'
        option verb '4'
        option port '443'
        option proto 'tcp'
        option dev 'tun'
        option server '10.9.0.0 255.255.255.0'
        option keepalive '10 120'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/vpn-server.crt'
        option key '/etc/openvpn/vpn-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option client_to_client '1'
        list 'push' 'redirect-gateway def1 bypass-dhcp'
        option persist_key 1
        option persist_tun 1
        option user nobody
        list 'push' 'dhcp-option DNS 192.168.1.1'
        list 'push' 'route 192.168.1.0 255.255.255.0'
        list 'push' 'route 10.8.0.0 255.255.255.0'

I want to reach the goal that clients from 10.9.0.x and 10.8.0.x get to know each other...

Maybe i'm little confused where to do this.

Thx for help..

iplaywithtoys · March 22, 2021, 12:14pm

What do you mean by "get to know each other"? Are you referring to discovery by broadcast? Are you referring to direct connections via unicast?

cybermailer · March 22, 2021, 12:24pm

ssh / vnc each other. Like in the same network.

At the moment i can only ssh from 192.x.x.x to 10.8.x.x or 10.9.x.x and vice-versa and also within 10.8.x.x (and 10.9.x.x) it also works. But not from 10.8.x.x to 10.9.x.x

vgaetera · March 22, 2021, 12:49pm

uci add_list firewall.@zone[0].device="tun+"
uci commit firewall
/etc/init.d/firewall restart

cybermailer · March 22, 2021, 1:11pm

@vgaetera -> your solutions works -> can you explain?

additional question are my push route definitions necessary also to your additional firewall settings?

thx for help

vgaetera · March 22, 2021, 1:21pm

Assign both VPN interfaces to the same firewall zone with permissive intrazone forward policy.
There's no need to push extra routes as long as you redirect gateway on the clients to the VPN.

In addition, it's best to explicitly specify the server side topology:

uci set openvpn.myvpn.topology="subnet"
uci set openvpn.myvpntcp.topology="subnet"
uci commit openvpn
/etc/init.d/openvpn restart

cybermailer · March 22, 2021, 5:59pm

That means i can now remove these lines of code:

and add these lines:

uci set openvpn.myvpn.topology="subnet"
uci set openvpn.myvpntcp.topology="subnet"
uci commit openvpn

i hope i have understand your information well...
thx

system · April 1, 2021, 5:59pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.