Score:0

Routing traffic between two OpenVpn servers

cn flag
Oli

I'm trying to route traffic between two openvpn servers; I would like to have the following connection:

Client --> OpenVpnServer1 --> OpenVpnServer2 --> Internet

I have both servers running and working separately, but I have tried to configure OpenVpnServer1 to forward all it's clients traffic to OpenVpnServer2 using iptables but failed.

OpenVpnServer1 Interfaces and configs:

eth0 -- public internet

tun0 -- for clients connecting to this server

tun1 -- connection interface for second server (Active when connected using openvpn client)

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.0.0/8 -o eth0 -j MASQUERADE
COMMIT

OpenVpnServer2 Interfaces and configs:

ens33 -- public internet

tun0 -- for clients connecting to this server

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o ens33 -j MASQUERADE
COMMIT

Update:

I have tested the connections between server1 and sever2 and server1 can ping google from its tun1 adapter. The problem is I don't know how to forward the traffic without changing the default route on server1. If I change the default route to tun1 then clients can't connect to server1.

Michael Hampton avatar
cz flag
I don't see any routing here, just a whole lot of NAT. Why are you using NAT instead of routing?
Oli avatar
cn flag
Oli
@MichaelHampton, that’s why I’m asking this question.
Score:0
kz flag

Okay, some basics first. The client opens a VPN connection to Server1. The server has an active connection to server2 and this connection is configured as default route (you did that, correct?)

First of all, I would configure this tunnel between server1 and server2 as site-to-site VPN - but that is a different topic.

At server1, your iptables rule is wrong. The correct rule would be:

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Why?

If you want this setup to work, you need to pretend that all traffic going through the vpn tunnel from server1 to server2 is being initiated by server1, in detail has the IP of your tun1 interface, so that the reply reaches server1, and can be correctly routed back to the client. That is what the rule does. Your rule, as a contrast, only would masquerade all traffic going out into the public internet, not through any VPN.

Oli avatar
cn flag
Oli
Thank you for the answer; I got another problem, by changing default route on server1, I can't connect to it. So I can't change it.
Martin avatar
kz flag
you shouldn't change the default route manually; Let openvpn do this. There is a config parameter with which you can do this: ```redirect-gateway def1``` inside the correct configuration file for example...
Oli avatar
cn flag
Oli
by enabling that option on server2 config, after server1 connects to server2, server1 becomes unreachable.
Martin avatar
kz flag
Try to do this inside the client configuration on server1. When doing this at the server config, you have to differentiate between "redirect gateway" (valid for the server) and push redirect-gateway (configuration command pushed to the client). It is easier to write this inside the client config...
Oli avatar
cn flag
Oli
ok, I'll do it and I'll update you if it works or not. Thanks.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.