6

My use case: I want to route all Internet traffic from machine B through machine A. However, I cannot simply install OpenVPN server on machine A as machine A is behind layers of NATs/firewalls I don't control. My current solution is to install OpenVPN server on machine C, and have both machines A and B connect to C as clients. I'm trying to set up proper routes so that all traffic from B can be routed through A. The setup on each machine and the steps I have attempted are detailed below and my remaining problem is in the second to last paragraph.

Now, machine C runs Linux and OpenVPN server in a Docker container (https://github.com/kylemanna/docker-openvpn). With redirect-gateway def1, both client machines can connect and route traffic through the server (https://ipleak.net confirms the server IP). For the following tests though, redirect-gateway def1 is removed, while topology subnet and client-to-client are added. The server has subnet IP 192.168.255.1 and public IP AAA.BBB.CCC.DDD.

machine A runs Windows and has IPEnabledRouter=1 set in HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, Service Routing and Remote Access set to Automatic and running, and the network adapter with Internet access set to allow sharing from the OpenVPN TAP adapter. It is assigned 192.168.255.2.

machine B runs Windows and is behind a router with IP 192.168.1.100. It is assigned OpenVPN subnet IP 192.168.255.3. The following routes are added in addition to what OpenVPN sets up automatically:

Network Destination Netmask Gateway Interface Metric 0.0.0.0 128.0.0.0 192.168.255.2 192.168.255.3 259 128.0.0.0 128.0.0.0 192.168.255.2 192.168.255.3 259 AAA.BBB.CCC.DDD 255.255.255.255 192.168.1.1 192.168.1.100 291

From machine B, I can ping machine A at 192.168.255.2, but Internet traffic is still routed through the OpenVPN server (ipleak shows AAA.BBB.CCC.DDD). I tried adding a route: route add default gw 192.168.255.2 tun0, but this makes the clients unable to access Internet. The server route table typically looks like:

Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.19.0.1 0.0.0.0 UG 0 0 0 eth0 172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 192.168.254.0 192.168.255.2 255.255.255.0 UG 0 0 0 tun0 192.168.255.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

How can I make this work?

[EDIT] A little more context on the use case: I need to set up VPN for a division so that their users' home computers machine B can access third-party resources that restrict access based on IP address. The access to machine A is not blocked, but there are at least two layers of NAT/firewalls up the organization, whose admins do not want to change their setup to help with incoming connections. We therefore want to devise a working solution using machine C that may be a VPS as the VPN server. There is an official VPN service but since it is open to certain outside members, the third-party vendor does not wish to allow its IP access.

Network Diagram

Improve this question
9
  • I'm a little confused about this "on hold" message: I gave the desired end state / clear problem statement in the first paragraph, the specific problem or error in the second to last paragraph, sufficient information about the config and environment AND attempted solution in detail throughout the whole post. Commented Aug 7, 2019 at 14:42
  • The question is in the review queue to possibly be re-opened - if enough reviewers think that the question is now suitable, it will get re-opened. Personally, I think it should still be closed because it's not a professional way to do things, but I'll let the review process run its course. Commented Aug 9, 2019 at 1:40
  • 1
    I added a network diagram. The access to said resources is provided by a third-party vendor, who does not want to deal with users' home network (understandably) or even the organization-wide VPN. Commented Aug 13, 2019 at 15:05
  • 1
    @RocWhite Now you make me doubth my vote. Is it firewall you control, or only the third part vendor that block you ? As it's illogical to create a bypass scenario to bypass your own netadmin department. Such question would be closed back. Commented Aug 15, 2019 at 16:09
  • 1
    I just found a solution to this problem! To answer your questions though, only the third party blocks access based on IP range. Our own network does not block machineA per se, and as I was saying in meta, our IT admins allow us to set up any servers or VPNs, as long as they don't need to deal with and support it or set up the necessary port forwarding. Now one can argue whether this fits SF's view how professional network should be operated, but to us this is a real and legitimate use case in a real business environment. I do appreciate your patience and help making this question more clear. Commented Aug 17, 2019 at 3:48

2 Answers 2

Reset to default
3

In principle, the setup should be similar to RoutedLans, except that we cannot simply set machine A to handle 0.0.0.0. This SF answer explains why packets cannot be sent through another client as the gateway using the TUN interface. However, there is a workaround according to the first comment to this answer.

On machine C:

  1. Add the following to the server configuration:
topology subnet client-to-client route 1.0.0.0 255.0.0.0 route 2.0.0.0 254.0.0.0 route 4.0.0.0 252.0.0.0 route 8.0.0.0 248.0.0.0 route 16.0.0.0 240.0.0.0 route 32.0.0.0 224.0.0.0 route 64.0.0.0 192.0.0.0 route 128.0.0.0 128.0.0.0 push "route 1.0.0.0 255.0.0.0" push "route 2.0.0.0 254.0.0.0" push "route 4.0.0.0 252.0.0.0" push "route 8.0.0.0 248.0.0.0" push "route 16.0.0.0 240.0.0.0" push "route 32.0.0.0 224.0.0.0" push "route 64.0.0.0 192.0.0.0" push "route 128.0.0.0 128.0.0.0"
  1. Set iroutes and a static IP for machine A in client-config-dir.
ifconfig-push 192.168.255.2 255.255.255.0 push "route 192.168.255.0 255.255.255.0 192.168.255.1" iroute 1.0.0.0 255.0.0.0 iroute 2.0.0.0 254.0.0.0 iroute 4.0.0.0 252.0.0.0 iroute 8.0.0.0 248.0.0.0 iroute 16.0.0.0 240.0.0.0 iroute 32.0.0.0 224.0.0.0 iroute 64.0.0.0 192.0.0.0 iroute 128.0.0.0 128.0.0.0

On machine A:

  1. In HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, set IPEnableRouter=1.

  2. Set service Routing and Remote Access to Automatic and make sure it is running.

  3. Set the network adapter with Internet access to allow sharing from the OpenVPN TAP adapter. It appears that sharing has to be disabled and re-enabled every time the machine is rebooted.

On machine B: make sure redirect-gateway def1 is in the client configuration.

Improve this answer
0

I had success for similar setup with a client-specific configuration for machine A with a single option:
/etc/openvpn/ccd/machine-a.conf
iroute 0.0.0.0 0.0.0.0

machine B must use one of redirect-gateway options available.

machine C must use this options (among others):

dev tun1 client-to-client topology subnet client-config-dir /etc/openvpn/ccd

Checked on OpenVPN 2.6_rc1.

Thanks Roc W for the idea with the handling of 0.0.0.0!

p.s. yes, i've seen in another answers to questions, linked to Roc W's post, that iroute 0.0.0.0 0.0.0.0 doesn't work. But i've done a few checks with tcpdump and ip verification - and it seems working fine. But maybe i've missed something...

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.