Join Log in
Score:0
lowercase00 avatar Server

How do I define multiple routes in OpenVPN?

cn flag
lowercase00

I'm trying to set up a server to act as a gateway - basically it will deal with connections coming from a k8s cluster to the external world (mainly databases behind VPNs).

So I have the following setup: OpenVPN with specific routes, and HAProxy that act as gateway.

In my .opvn config file, I have something like this:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote A_REMOTE_IP_ADDRESS 1199 udp4
verify-x509-name "vpn.mycompany.com" name
auth-user-pass
pkcs12 myp12file.p12
tls-auth mytls-tls.key 1
remote-cert-tls server

route-nopull
route DATABASE_A_IP_ADDRESS 255.255.255.0
route DATABASE_B_IP_ADDRESS 255.255.255.0
route 192.0.0.0 255.255.255.0

verb 4
ping 5

log-append /var/log/openvpn/sellbievpn.log
status /var/log/openvpn/sellbievpn-status.log

The HAProxy config is something like this:

frontend entry
    bind :1433
    mode tcp
    use_backend sqlserver

backend sqlserver
    mode tcp
    server sqlserver DATABASE_A_IP_ADDRESS check

Now if I try to connect to myserver:1433 I can succesfully connect to DatabaseA. So that's perfect, the concept works. But I can't find a way to connect to DatabaseB, even though they share the same VPN Network. So I'm guessing the problem should be on how I configured to routes.

Any ideas? Thanks.

499
1 + 0
Score:0
George Y avatar Server
vn flag
George Y

you need to push "route [subnet] [netmask]" in your server configuration.

0 + 2
lowercase00 avatar
cn flag
lowercase00
Hm, I though the "push" method was for testing only. Isn't it what I've done when I did `route DATABASE_IP 255.255.255.0`? I don't understand why IP_A works and IP_B doesn't
0
Reply
George Y avatar
vn flag
George Y
If the config file you showed is only on client side, it is definitely not the right way to ask one client to route to another via the vpn server without settings on it. Typically `client-to-client` would help connections of Client A - vpn server - Client B, but you need to use the virtual IP generated in vpn for connection. If you want to use original IP, you need to first turn on ipv4_forward and then corresponding add routing policies to that vpn server machine.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.