OpenVPN Clients using server's connection (with no default gateway)

Posted by Branden Martin on Server Fault See other posts from Server Fault or by Branden Martin
Published on 2012-09-19T02:57:56Z Indexed on 2012/09/19 3:40 UTC
Read the original article Hit count: 521

Filed under:

I wanted an OpenVPN server so that I could create a private VPN network for staff to connect to the server.

However, not as planned, when clients connect to the VPN, it's using the VPN's internet connection (ex: when going to whatsmyip.com, it's that of the server and not the clients home connection).

server.conf

local <serverip>
port 1194
proto udp
dev tun

ca ca.crt
cert x.crt
key x.key 

dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client

keepalive 10 120
comp-lzo
persist-key
persist-tun

status openvpn-status.log

verb 9

client.conf

client
dev tun
proto udp

remote <srever> 1194
resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert x.crt
key x.key

ns-cert-type server
comp-lzo
verb 3

Server's route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
69.64.48.0      *               255.255.252.0   U     0      0        0 eth0
default         static-ip-69-64 0.0.0.0         UG    0      0        0 eth0
default         static-ip-69-64 0.0.0.0         UG    0      0        0 eth0
default         static-ip-69-64 0.0.0.0         UG    0      0        0 eth0

Server's IP Tables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-proftpd  tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:20000
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webmin
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-proftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

My goal is that clients can only talk to the server and other clients that are connected.

Hope I made sense. Thanks for the help!

© Server Fault or respective owner

Related posts about openvpn