Starting up openvpn on OpenWrt

Installing and Using OpenWrt
1

I build Openwrt for x86. All works fine.

Now I try build site-to-site vpn, it is, route between two or more network. On cloud I have openvpn-server, ubuntu 18.04 and it works as server.

I use command line, and set-up openvpn via it.

My client.ovpn-file is:
client
dev tun
proto udp
remote <this.is.openvpnserver.public.ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
mute 20

Now, when I write:
openvpn client.ovpn

Service start. Computer connected to router works, eg. vpn-network 10.8.0.0/24 is possible reach: ping 10.8.0.2 answer.

But... when I reboot openwrt-router allways I must start manually "openvpn client.ovpn".

Is it any clever way start up openvpn automatically? Any "init.d"-jinx? Or any Luci-jinx? So, look my Openvpn on Openwrt works, but allways I must use CLI and start up it manually.

2

Put something like the following in /etc/config/openvpn should suffice

config openvpn client
        option enabled 1
        option config /etc/openvpn/client.ovpn
4

Look this: config openvpn client
option enabled 1
option config /etc/openvpn/client.ovpn

Effect is, openvpn start automatically on boot-up. Maybe. When boot-up router WAN-connector connected, ifconfig found "TUN0" and ip set in server. Eg. Server server.conf "server 10.8.0.0", tun0 is 10.8.0.2, 3 etc. When remove WAN-connector, no tun0.

No effect, if remove /etc/confing/client.conf -file and /etc/condig/openvpn_recipes. After boot up still this "tun 0" available.

Of course if remove /etc/openvpn/client.conf, no TUN0. BUT, when put this file back, TUN0 appear.

Procedure:

  • Make working openvpn, put it start in boot-up (/etc/config/openvpn option enabled 1, option config etc etc)
  • ifconfig found TUN0
  • remove /etc/config/openvpn, reboot
  • still TUN0

So: when one time you succedd put openvpn run as startup, you never can remove it from start up.

It is: Inside Openwrt is any hidden place where this is programmed. Is it any start-up-init-script? Or any binary file? I try google and search, but... nothing. If you add one time openvpn to client, only way is make clean openwrt. Or... how? Maybe impossible?

5

The first rule of OpenVPN is don't have any files named *.conf in /etc/openvpn because OpenVPN will read and parse them automatically, and that is usually not what you want.

Ordinarily the tun0 interface is created and configured by the OpenVPN client only after it makes a connection to the server. I'm not sure if the tun0 is automatically deleted if the connection is lost. It's not a bad consequence to have a dead-end tun0 left in the kernel, since there's no OpenVPN behind it.

Like most software, with OpenWrt the closer your configuration is to default the more likely it is to work. Many people do import or write a native style config .ovpn file rather than translate the whole config to UCI, but other than that you should stay near default. It is not necessary to have a lot of extra configs or write scripts.

OpenVPN writes profusely to syslog and it is usually fairly easy to identify problems even without activating debug mode.

Since OpenVPN is integrated as a service you can use service openvpn stop and service openvpn start instead of needing to reboot. Also service openvpn disable will prevent auto start on reboot, while service openvpn enable causes auto start on reboot.

6

Ah, ok. Nearer solution now.

Ok. Problem is: I try build site-to-site route over internet. I installed openvpn server to cloud: Ubuntu 18.04, public ip etc. And then command line, apt install openvpn, easyrsa etc etc. There is basic vpn-ip-address, 10.8.0.0 ("server 10.8.0.0"). Before anyone say, "make site-to-site without server", I say, "No thanks, server is difficult way, but then, it make me free. Many sites is easier. Static sites, roadwarriors etc."

One client works. I say it "client1". Using CLI I installl openvpn (opkg install openvpn, rsa etc etc). Then "client.conf", incl key, server ip etc etc. Computer connected to Router Client 1: Ping 10.8.0.3 answer.

Now I make Client2. It is similar, but when connect WAN, inner network stop. No ping, no Luci etc. After big work I found fault is openvpn. Why, I cannot know. Eg. on startup I can see: last text on boot-up is "eth1 connected", it is, WAN connected. If I ping same time, I can see ping is ok. But immediately when WAN is up, ping stops, luci not work etc. If I remove WAN-connector and boot router- ping ok, luci ok.

Client.conf:

client
dev tun
proto udp
remote <serverpublicip> 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client2.crt
key client2.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
mute 20

And, "/etc/config/openvpn" -> this file

Network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc1:e63d:b73e::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.252.0'
	option ip6assign '60'
	option ipaddr '10.16.0.1'
(Yes, router/client2 ip is 10.16.0.0/22, Client 1 is 10.15.0.0./22, 3 is 17 etc...)
config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option hostname 'Client2'

config route
	option interface 'lan'
	option netmask '255.255.252.0'
	option gateway '10.16.0.1'
	option target '10.15.0.0'

config route 
	option interface 'lan'
	option netmask '255.255.252.0'
	option gateway '10.16.0.1'
	option target '10.17.0.0'

And firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 WAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user' (empty file)

SIMPLY, Client1 configuration is same but IP-area is "10.15.0.0/22" (and, of cource, dhcp, it is 10.15.1.1-254). Client2 = 16, etc. Strongly now it is somethn odd in openvpn: when I remove openvpn configuration file (client.conf), inner network start work (ping 10.16.0.1). But when I take openvpn configuration file, (reboot of course), ping 10.16.0.1 not work...

Fault is little, but... what?

7

If you want all of your Internet to go via the VPN (like a commercial VPN service works) you will have to set up the VPN server to route its clients out to the Internet at its end.

In order for your VPN server to act as a link between the VPN clients so they have access to each other and their respective LANs, the client-to-client option must be enabled on the server. Also of course all the LANs should have a different IP subnet or it gets very complicated.

Again do not name openvpn config files *.conf (the convention is *.ovpn) and make sure that you are only running one config file.

8

You should add VPN-related routes on the VPN interface using the VPN profile.
Also, your VPN interface is not assigned to any firewall zone.

If possible, just start from scratch and perform this: OpenVPN server + client + site-to-site.
These are working and tested how-tos, which help you avoid a lot of newbie mistakes.

9

”These are working and tested how-tos, which help you avoid a lot of newbie mistakes.”

I not agree this: all examples are fuzzy and speak other than needed. My need is exact: site1, site2, site3, roadwarrior1, roadwarrior2 etc etc connect as one network. So, all sites are privat network. Work example: site 1, there is Printer. All other sites want use it. Server1 location is site3. Server2 location is site1. (Server=EG. And) All want use it. Cctv-camera on site 2, all want use it. So, just as copper connection.

This I follow.

  1. SERVER

Openvpn server is ok now. I build it using Ubuntu on Jelastic (it is about same as Azure and all playforms). I have public ip and it answer ping. Openvpn configuration file is ok, and I builded certificates, keys etc.

Server VPN-address is 10.8.0.1.

On openwrt-router is somethin life: sometimes Ping 10.8.0.2, and 3 answer ping. Also: when router start openvpn, I can see connection process on openvpn server. On display I can see much text, ”client1 connected, 10.8.0.1, 2.... etc”.

So, server is ok, it works.

  1. CLIENTs

I am quite sure I need right openvpn-client-configuration file. Most biggest problem is firewall and routes.

Routes are easy: network-file. As my example earlier. There is site 1 network: 10.15.0.0/22, gw 10.15.0.1. Site 2 is 16, site 3 is 17 etc. So, route on network-file must be as I write earlier. See it network-file: So, EG. Site1 ”connection to network 10.16.0.0, So target 10.16.0.0, gw 10.15.0.1. Target 10.17.0.0, gw 10.15.0.1”.

Firewall is more difficult, it need long set of routeS etc.

Of course, I am NOt sure, all examples and how-to are fuzzy. I start this work at January. Two mont ago I close my company and only work is make this work. One month i studied openwrt and openvpn, no other work. Result: need some month work more... So complex :frowning:

10

Well, let's adapt it to your configuration if the default is too fuzzy for you:

# Preparation
...
OVPN_POOL="10.8.0.0 255.255.255.0"
OVPN_SERV_LAN="10.1.0.0 255.255.252.0"
...

# Key management
...
easyrsa build-client-full client1 nopass
easyrsa build-client-full client2 nopass
easyrsa build-client-full client3 nopass
...

# Site-to-site
...
cat << EOF > /etc/openvpn/ccd/client1
ifconfig-push 10.8.0.15 255.255.255.0
iroute 10.15.0.0 255.255.252.0
push-remove redirect-gateway
EOF
cat << EOF > /etc/openvpn/ccd/client2
ifconfig-push 10.8.0.16 255.255.255.0
iroute 10.16.0.0 255.255.252.0
push-remove redirect-gateway
EOF
cat << EOF > /etc/openvpn/ccd/client3
ifconfig-push 10.8.0.17 255.255.255.0
iroute 10.17.0.0 255.255.252.0
push-remove redirect-gateway
EOF
cat << EOF >> /etc/openvpn/server.conf
client-config-dir ccd
route 10.15.0.0 255.255.252.0 10.8.0.15
route 10.16.0.0 255.255.252.0 10.8.0.16
route 10.17.0.0 255.255.252.0 10.8.0.17
push "route ${OVPN_SERV_LAN} vpn_gateway 1000"
push "route 10.15.0.0 255.255.252.0 10.8.0.15 1000"
push "route 10.16.0.0 255.255.252.0 10.8.0.16 1000"
push "route 10.17.0.0 255.255.252.0 10.8.0.17 1000"
EOF
...

In addition, if the VPN clients are not installed on remote LAN gateways, you need to add static routes to remote LANs and VPN on each LAN gateway.

11

And there is:

Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf and client.conf . On Windows they are named server.ovpn and client.ovpn .

What is truth? Openvpn manual say "in linux use conf, in windows use ovpn". What is truth?

12

OpenVPN on OpenWrt:

13

Ok. Server configuration file (server.conf or server.ovpn, depend of who say)

#start of the "server.conf/ovpn"
port 1194
proto udp4
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
explicit-exit-notify 1
client-config-dir /etc/openvpn/ccd
route 10.15.0.0 255.255.252.0 10.8.0.15
route 10.16.0.0 255.255.252.0 10.8.0.16
route 10.17.0.0 255.255.252.0 10.8.0.17
#Notify: On server ifconfig say inet 10.80.9.195 netmask 255.252.0.0 broadcast 10.83.255.255 destination 10.80.9.195
push "route 10.80.9.195 255.252.0.0 vpn_gateway 1000"
push "route 10.15.0.0 255.255.252.0 10.8.0.15 1000"
push "route 10.16.0.0 255.255.252.0 10.8.0.16 1000"
push "route 10.17.0.0 255.255.252.0 10.8.0.17 1000"
#end of the server.cond/ovpn

ccd-FOLDER:
File client1
ifconfig-push 10.8.0.15 255.255.255.0
iroute 10.15.0.0 255.255.252.0
push-remove redirect-gateway

File client2
ifconfig-push 10.8.0.16 255.255.255.0
iroute 10.16.0.0 255.255.252.0
push-remove redirect-gateway

File client3
ifconfig-push 10.8.0.17 255.255.255.0
iroute 10.17.0.0 255.255.252.0
push-remove redirect-gateway

SO this is server.conf. When manually start, much text found and look this is ok.

CLIENT CONFIGURATION

client.conf/ovpn, CLIENT CONFIGURATION FILE
#start of client.conf/ovpn
client
dev tun
proto udp
remote <this.is.public.ip.of.the.server> 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client2.crt
key client2.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
mute 20
#end of client.conf/ovpn

NETWORK FILE ON CLIENT, THIS IS CLIENT1
#start of /etc/config/network-file

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdc1:e63d:b73e::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.252.0'
option ip6assign '60'
option ipaddr '10.16.0.1'

config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option hostname 'client2'

config route
option interface 'lan'
option netmask '255.255.252.0'
option gateway '10.16.0.1'
option target '10.15.0.0'

config route
option interface 'lan'
option netmask '255.255.252.0'
option gateway '10.16.0.1'
option target '10.17.0.0'

#end of /etc/config/network-file

QUESTION: Server.conf/ovpn: Notify "ovpn_serv_lan": ifconfig on server says "inet 10.80.9.195 netmask 255.252.0.0 broadcast 10.83.255.255 destination 10.80.9.195". So I understand this "push route ovpnservlan must be this 10.80.9.195 and mask 255.252.0.0 (yes, 255.252, ifconfig say this). Right?

QUESTION: "In addition, if the VPN clients are not installed on remote LAN gateways, you need to add static routes to remote LANs and VPN on each LAN gateway."
a) openvpn installed on router client1, client 2 (and later client3).
b) router is x86 so keyboard and display direct on router. Ping 10.8.0.1 answer, ping 10.8.0.15 answer, ping 10.8.0.16 answer. (And, of course, client2 router is 10.16.0.0/22, ping 10.16.0.1 answer)
c) Computer connected to LAN on router: Luci ok, ssh-cli ok. Ping 10.16.0.1 answer, ping 10.8.0.16 answer. Ping answer. Ping 10.8.0.15 not answer, ping 10.8.0.1 not answer. Firewall? Route?
d) "add static routes etc", as you see, static routes added. Please see network-file: as you see, "config route, interface lan, netmask /22, gateway 10.16.0.1 (router gateway add), target 10.15.0.0 network. And second, route to network 17. This similar in every network. Right? I search openwrt-manual, and there is routing example just this way. Is this right?
e) need any firewall adjusting?

14

This is wrong, remove it.
netifd does not interact with openvpn service and should not manage these routes.

Yes, but you should change it to subnet.

15

Are these VPN client machines also the main router in their respective networks? If they are not, what @vgaetera said applies, the main router needs a route installed to the other networks. This is because endpoints on the LAN (PCs and printers) don't know about the other LANs, so when they reply to an IP outside of their own LAN(1) they send it to the only gateway they know, the default gateway-- the main router. So the main router needs an entry for each foreign lan gatewaying back to the IP of the VPN client machine on its LAN. Which also of course means those IPs need to be static or reserved.

The server needs client config directories to reserve the proper 10.8.0.X address for the same client every time. This is based on having unique certificate for each client. The CN of the certificate keys the IP lookup.

Look on the clients to see that the routing table has been updated by OpenVPN with the pushed routes. Do not add routes manually to the clients.

  1. Reportedly Windows Firewall default configuration does not allow connecting to private IPs outside its own LAN.
1 Like
16

Look now I am quite near final solution. I hope...

I found... after long work... basics!

https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

push "route 10.80.9.195 255.252.0.0 vpn_gateway 1000"

This I cannot be sure. Still. I go to server, then "ifconfig" and, result is, 10.80.9.195 mask 255.252.0.0. Reason Server there is no any large internal ip-area, there is only 10.80.9.195. So:

  • Reason server internal ip is this, mask is 32? 255.255.255.255?
  • No any server network adjust, only server.conf/ovpn?

mallia
mallia1353Ă—1502 85.5 KB

traceroute say: (traceroute elkesan.fi)

  • client2lan (10.16.0.1), so, ok
  • 192.168.1.2, it is ok, it is 4G-modem
  • 10.96.11.50
  • 10.96.11.49
  • 10.96.12.36
  • 10.96.12.1 request time out
  • 141.208.192.126 request time out
  • 5.250.164.143
  • 5.250.165.240 OKAY! elkesan.fi found!

I cannot understand this "10.96" jumping: tracert never visit 10.80.9.195... so, what this vpn-gateway must be? Ip is 10.80.9.195, but mask MUST BE 255.252.0.0 reason ifconfig say. But, if is it only 10.80.9.195, mask must be 32! So...

But, anyway: tracert result is, "never visit in openvpn server public address". Why.. no answer...?

Firewall is now right. I think so...

#start of client2 firewall file
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'
#end of client2 firewall file

And

#start of openvpn server server.conf-file
port 1194
proto udp4
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
explicit-exit-notify 1
client-config-dir /etc/openvpn/ccd
route 10.15.0.0 255.255.252.0 10.8.0.15
route 10.16.0.0 255.255.252.0 10.8.0.16
route 10.17.0.0 255.255.252.0 10.8.0.17
push "route 10.80.9.195 255.255.255.255 vpn_gateway 1000"
push "route 10.15.0.0 255.255.252.0 10.8.0.15 1000"
push "route 10.16.0.0 255.255.252.0 10.8.0.16 1000"
push "route 10.17.0.0 255.255.252.0 10.8.0.17 1000" 
#end of server openvpn conf file

Then, how about it "site-to-site"...

17

The 10.80 and 10.96 IPs would be within the data center of the company you're renting the server from. In other words your virtual machine there is not directly connected to the Internet, but it is routed to seem like it is.

If you look at the routing table of the server you should see that its default gateway is 10.96.11.50.

So this means when you use the 10. space for your own IPs, you have to be careful they don't conflict with any that the server company is using-- and they probably won't tell you which ones those are. It would be best to avoid 10. IPs altogether here.

The LAN routers should not need to know the IP or routing of the VPN server as anything other than 10.8.0.1-- which OpenVPN should install as your new default route by splitting the Internet in half. A packet to a public IP sent via there should make its way to the Internet if the server is properly configured. Part of that configuration is to NAT all the LANs to the one public IP you have, just like any other router.

1 Like
18

Still I jump back to this detail.

POOL is ok.

But, what is this "OVPN_SERV_LAN="10.1.0.0 255.255.252.0"? .... "10.1.0.0"?? As I wrote and paste photo, I think it is just as as text is: "OVPN server LAN address" and in my case it is 10.80.9.195 and mask 255.252.0.0 (just as ifconfig say).

  • This is not openvpn server lan address, it is any "virtual" address no connection real life -> put any number, system not care
  • This is, just as text say "openvpn server lan address" and it must be just right, 10.80.9.195 255.252.0.0.
  • Third...?

My network, shortly: Client1 (10.15.0.0/22), Client2 (10.16.0.0/22), Client3 (10.17.0.0/22) + maybe roadwarriors. All networks are individual private network. I want connect it together, site-to-site.

19

You're working on two things at once:

  • site to site LAN to LAN access through the VPN server.
  • Making the site users' Internet browsing go out through the VPN server's Internet connection instead of directly through their respective ISPs.

They can both work (or not) independent of the other. Concentrate on fixing one or the other.

When trying to diagnose routing, the route or ip route show commands are very useful to see how the kernel is configured to route.

1 Like
20

Original work is site-to-site VPN using openvpn server. It is most important work and goal. ”VPN browsing” is New idea, and in my case, not important and only bonus result. If it take harm or more than 30 minutes work, I forget it.

Most important is site-to-site VPN. Connect three or more separate privat network together using openvpn server. It is goal and and all I want more than million dollar.

21

You can remove this route if the server has no LAN, or the clients have no need to access it.