OpenVPN Clients using server's connection (with no default gateway)
Posted
by
Branden Martin
on Server Fault
See other posts from Server Fault
or by Branden Martin
Published on 2012-09-19T02:57:56Z
Indexed on
2012/09/19
3:40 UTC
Read the original article
Hit count: 587
openvpn
I wanted an OpenVPN server so that I could create a private VPN network for staff to connect to the server.
However, not as planned, when clients connect to the VPN, it's using the VPN's internet connection (ex: when going to whatsmyip.com, it's that of the server and not the clients home connection).
server.conf
local <serverip>
port 1194
proto udp
dev tun
ca ca.crt
cert x.crt
key x.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 9
client.conf
client
dev tun
proto udp
remote <srever> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert x.crt
key x.key
ns-cert-type server
comp-lzo
verb 3
Server's route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
69.64.48.0 * 255.255.252.0 U 0 0 0 eth0
default static-ip-69-64 0.0.0.0 UG 0 0 0 eth0
default static-ip-69-64 0.0.0.0 UG 0 0 0 eth0
default static-ip-69-64 0.0.0.0 UG 0 0 0 eth0
Server's IP Tables
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:20000
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-proftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
My goal is that clients can only talk to the server and other clients that are connected.
Hope I made sense. Thanks for the help!
© Server Fault or respective owner
