Score:0

OpenVPN Server to Allow Access to Two Different Networks

mx flag

I am trying to allow OpenVPN clients to the OpenVPN which has access to two different subnets. The 10.203.1.61 has a public network and is used when clients access OpenVPN while the 172.28 (ens4) is a private IP into that network. I would like them to also have the ability to access the network running on ens4.

ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9000 inet 10.203.1.61 netmask 255.255.192.0 broadcast 10.203.63.255

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9000 inet 172.28.255.61 netmask 255.255.255.0 broadcast 0.0.0.0

I have the following configuration in the server.conf but it doesn't seem to be working. Can someone help me out?

Thanks

local 10.203.1.61
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.203.0.0 255.255.192.0"
push "route 172.28.255.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.203.1.11"
push "dhcp-option DNS 10.203.1.14"
push "dhcp-option DOMAIN acme.com"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
verb 3
crl-verify crl.pem
duplicate-cn
explicit-exit-notify
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

Here is my route on the server

[root@openvpn01 ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    0      0        0 ens3
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.203.0.0      0.0.0.0         255.255.192.0   U     0      0        0 ens3
link-local      0.0.0.0         255.255.0.0     U     0      0        0 ens3
link-local      0.0.0.0         255.255.0.0     U     1002   0        0 ens3
172.28.255.0    0.0.0.0         255.255.255.0   U     0      0        0 ens4
Score:0
mx flag

Thanks for the reply. I added the ipv4 forward (as well as into the sysctl.conf). iptables shows that I already have the -P FORWARD ACCEPT

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT

I also added the route for the 172.28.255 network so that when 10.8.0.0/24 sends back to the 172.28.255.61 (openvpn secondary vnic) but that also didn't seem to have helped. I have the secondary VNIC set to skip source/destination check (in OCI)

Score:0
cg flag

If the routes are pushing correctly to clientes try next:

  1. Enable IP Forwarding in your linuxbox with sysctl net.ipv4.ip_forward=1 command more information Doc
  2. Allow IP Forwarding via Iptables:
    • Clear Iptables rules iptables -F (in case you have a deny)
    • Allow all forward traffic by default iptables -P FORWARD ACCEPT

Note: Remember the network 172.28.255.0/24 needs a route to access 10.8.0.0/24 via your OpenVPN Server.

John S avatar
mx flag
Thanks for the reply, please see below as the formatting in the comments. Please see below my response as it is formatted better instead of in this comment section.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.