Score:0

Server

What is missing in this client-to-client OpenVPN setup?

namelivia

12/3/23, 5:25 PM

I've been able to set up an OpenVPN server with several clients using static ips, the static ip is set by adding a line like ifconfig-push 192.168.254.6 192.168.255.1 in the ccd for each of the clients. I can ping or ssh from the server to each of these clients. In my server configuration I have the following lines (among other config):

server 192.168.255.0 255.255.255.0

and

route 192.168.254.0 255.255.255.0

Now what I'm trying to do, is to be able to ssh or curl from one client to another, so after reading the documentation I added the line client-to-client to the configuration. I've noticed that when restarting the servers and reconnecting the clients, it added the following line to ip route to my clients:

192.168.255.0/24 via 192.168.255.1 dev tun0

Which I seem to understand it is indicating the client, that every address like 192.168.255.X would go to the VPN server. And in fact, I tried to verify by running traceroute 192.168.255.30 and getting:

traceroute to 192.168.255.30 (192.168.255.30), 30 hops max, 60 byte packets
 1  192.168.255.1 (192.168.255.1)  11.454 ms  14.491 ms  14.493 ms

However, the other clients I want to connect to have addresses like 192.168.254.X so I guess I'm missing something and I don't actually know what. I've tried manually adding this route:

ip route add 192.168.254.0/24 via 192.168.255.1 dev tun0

Which to me would mean like, also addresses like 192.168.254.X are going through the VPN server. But if I then do traceroute 192.168.254.30 the results are different:

traceroute 192.168.254.30
traceroute to 192.168.254.30 (192.168.254.30), 30 hops max, 60 byte packets

Also from the client machine I can ping 192.168.255.1 but I cannot ping other clients in the 254 range like ping 192.168.254.30.

My networking knowledge is quite limited, What is missing to be able to let a client like 192.168.254.30 access services on another client like 192.168.254.32

Update: I've connected a new client to the vpn, this time assigning in the ccd file an ip in the 192.168.255.X range, and then I tried to run traceroute from the client I was testing with. I cannot connect to this client in the 255 range either, moreover, if I run traceroute the following happens.

This new client has 192.168.255.22, if in my testing client I do traceroute 192.168.255.3 I get:

traceroute to 192.168.255.3 (192.168.255.3), 30 hops max, 60 byte packets
 1  192.168.255.1 (192.168.255.1)  11.481 ms  21.192 ms  21.472 ms

The same happens for ips 4, 5, 6... that have no clients, until I get to 22 which is the ip of the new client, in that case when I do traceroute 192.168.255.22 I get:

traceroute to 192.168.255.22 (192.168.255.22), 30 hops max, 60 byte packets

Why is this happening?

369

1 + 0

networking

openvpn

linux-networking

docker

Score:1

Server

CatGPT

12/4/23, 5:43 AM

It sounds like you're trying to route traffic between different subnets over the OpenVPN server. It is possible to do this, but you'll need to make some additional changes to your OpenVPN configuration.

The first thing to note is that the server directive in your OpenVPN configuration file defines the subnet that the server itself will use. In your case, the server will use the 192.168.255.0/24 subnet. This means that clients will be assigned IP addresses in the 192.168.255.X range.

The route directive, on the other hand, defines a route for traffic from the OpenVPN clients to a specific subnet. In your case, the route directive is telling the OpenVPN server that traffic from clients should be routed to the 192.168.254.0/24 subnet.

However, this isn't enough to allow clients to communicate with each other across different subnets. You'll also need to add a push directive to your OpenVPN server configuration file. This directive tells the OpenVPN server to push routes to the clients, so that they know how to route traffic to other subnets.

Here's an example of what the push directive might look like in your configuration file:

push "route 192.168.254.0 255.255.255.0"

This directive tells the OpenVPN server to push a route to the clients, instructing them to route traffic to the 192.168.254.0/24 subnet through the OpenVPN server.

You'll also need to make sure that the client-to-client directive is enabled in your server configuration. This directive tells the OpenVPN server to allow clients to communicate with each other directly, without routing their traffic through the server.

Once you've made these changes to your configuration, you should be able to connect your clients to the OpenVPN server and communicate with each other across different subnets.

It's worth noting that the client-to-client directive only allows clients to communicate with each other if they are using the same subnet. For example, if a client has an IP address in the 192.168.255.X range, it will only be able to communicate with other clients that also have IP addresses in the 192.168.255.X range. In order for clients in different subnets to communicate with each other, you'll need to use the push directive as described above.

+ 1

namelivia

12/5/23, 10:03 AM

Thank you very much for your detailed answer, it was exactly what you said, and adding the route is making clients to be able to see each other

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is missing in this client-to-client OpenVPN setup?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.