OpenVPN Chaining

Posted by noderunner on Server Fault See other posts from Server Fault or by noderunner
Published on 2013-06-25T17:38:42Z Indexed on 2013/06/29 22:23 UTC
Read the original article Hit count: 198

Filed under:
|

I'm trying to set up an OpenVPN "chain", similar to what is described here. I have two separate networks, A and B. Each network has an OpenVPN server using a standard "road warrior" or "client/server" approach. A client can connect to either one for access to the hosts/services on that respective network.

But server A and B are also connected to each other. The servers on each network have a "site-to-site" connection between the two.

What I'm trying to accomplish, is the ability to connect to network A as a client, and then make connections with hosts on network B. I'm using tun/routing for all of the VPN connections. The "chain" looks something like this:

[Client]  ---> [Server A] ---> [Server A] ---> [Server B] ---> [Server B] ---> [Host B] 
(tun0) (tun0) (tun1) (tun0) (eth0) (eth0)

The whole idea is that server A should route traffic destined to network B through the "site-to-site" VPN set up on tun1 when a client from tun0 tries to connect.

I did this simply by setting up two connection profiles on server A. One profile is a standard server config running on tun0, defining a virtual client network, IP address pool, pushing routes, etc. The other is a client connection to Server B running on tun1. With ip_forwarding enabled, I then simply added a "push route" to the clients advertising a route to network B.

On server A, this seems to work when I look at tcpdump output. If I connect as a client, and then ping a host on network B, I can see the traffic getting passed from tun0 to tun1 on Server A:

tcpdump -nSi tun1 icmp

The weird thing is that I don't see Server B receiving that traffic through the tunnel. It's as if Server A is sending it through the site-to-site connection like it should, but server B is completely ignoring it. When I look for the traffic on Server B, it simply isn't there.

A ping from Server A --> Host B works fine. But a ping from a client connected to Server A to host B does not.

I'm wondering if Server B is ignoring the traffic because the source IP does not match the client IP pool that it hands out to clients? Does anyone know if I need to do something on Server B in order for it to see the traffic?

This is a complicated problem to explain, so thanks if you stuck with me this far.

© Server Fault or respective owner

Related posts about vpn

Related posts about openvpn