1

I am trying to set up a server that can on one hand connect to an OpenVPN server (Server 1) as client, and act as a OpenVPN server itself (Server 2). The server (server 2) would then route all the data from its clients to its server (Server 1).

When the the Server (Server 2) is connected to the main VPN server (Server 1), its ip becomes unreachable. The reason is that all traffic goes through the VPN. This means that there is no way to connect to it as a client. I have also turned off routing all the data when the server (Server 2) is connected to the main server (Server 1) in order to bridge the interfaces tun0 (Server 2 to the clients) and tun1 (Server 1 to Server 2) but this also did not work.

I have been experimenting with routing tables and interfaces etc. for two days now but I was not able to make it work. Also variations of this answer did not help.

Current OpenVPN Server 1 to Server 2 client configuration:

client
dev tun
proto tcp
remote X.X.X.X XX
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
--pull-filter ignore redirect-gateway

Current Interfaces:

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500


lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536


tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500


tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500


veth92e943f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

Current IP Table:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

Current routing table:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         XX.XX.XX.1      0.0.0.0         UG    100    0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun1
XX.XX.XX.0      0.0.0.0         255.255.252.0   U     0      0        0 eth0
169.254.169.254 XX.XX.XX.10     255.255.255.255 UGH   100    0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

I would appreciate your help.

tripleA
  • 11
  • sysctl -w net.ipv4.ip_forward=1 – gapsf Sep 27 '22 at 03:12
  • We cant see ip addreses of interfaces and what means dont work. From what address you do test and how – gapsf Sep 27 '22 at 03:15
  • @gapsf I did try using ip forwarding but was not able to make it work. And with that I mean the traffic of the client to server (server 2) is not routed through the VPN connection to server 1. – tripleA Sep 27 '22 at 08:08
  • Again, from provided information about configuration its hard to tell you something helpful. Is it really not clear that we need information from both servers including ip addresses you use to test this setup. Nobody can read you mind to guess what you configure on both servers. From what i see you dont understand how routing works because despite 2 days of experimenting you still have two routes to the same network 10.8.0.0 on some of your servers (you dont tell from what server is your routing table). If you think its ok - go and read about ip networking. – gapsf Sep 27 '22 at 08:30
  • to understand how it works and what you should do to get results you need. – gapsf Sep 27 '22 at 08:36

0 Answers0