|
|
Hello everyone,
My questions may involve my own lack of vocabulary with regards to
OpenVPN terminology.. so if I'm asking something that has been delved on
many times before, please point me in the right direction, but please
let me know how I should be searching for the info I seek... as I've
spent considerable time combing over Google as well as the various
documents I've found in mailing lists archives and on the OpenVPN.net
and have not encountered information to help clarify my situation.
Ok... what I've got:
2 geographically separate networks.
Network A:
/8 subnet of publicly routable IP addresses. I do not have access to
the default gateway, as it is part of the organization's overally
networking/routing structure. I have an OpenVPN server setup which uses
certificates. All machines that I wish to participate on the VPN I've IP
aliases private band 192.168.6.x IPs to, and each of these machines has
specific route entries telling them where the VPN "gateway" is located.
The OpenVPN server has a public as well as private (ie aliased) IP
addresses.
Network B:
RoadRunner external IP, which NAT'ed/pf'ed by an OpenBSD box, which
serves private band IPs (192.168.10/24 and 192.168.7/24) to the
collection of machines located here. Because I have control of the
gateway, the appropriate routes are entered there, so manual
configurations are not needed on the other machines.
There is a machine behind the NAT/firewall which is the OpenVPN
client. On that same machine we're also running an OpenVPN server to
allow for connections "from home" for me and other people working on the
network.
----
Network B is a client to Network A as far as that VPN relationship goes.
Me and my compadres are clients to Network B's VPN server.
There are going to be individuals VPNing in as clients to Network A's VPN.
Current connectivity
-------------------------
While on a machine on Network B, I can ping all the "participating"
machines on Network A, and the reverse is also true.
Of course, I believe on either side, neither VPN endpoint can directly
ping any machines on the other side of the tunnel, save the other VPN
endpoint. VPN endpoints are each living on separate private IP subnets
(B has some IPs on 192.168.9/24, and A has 192.168.250/24)
From home, I run a 192.168.12/24 network, and from a machine on my home
network I can ping machines on the network B network (but not A, I
haven't pushed any of my routes on that side, but it has been done,
although that was with a 10.x.x.x network).
Desired connectivity
--------------------------
I would like for an individual who VPNs in to network A (their primary
network), to also be able to access machines on network B. The VPN
client used will be TunnelBlick on a MacOS X box.
I've generated/signed certificates for this, and I can VPN in to
Network A (I'm actually situated at Network B and doing all of A's
configuration remotely), and access machines on A's network when I'm a
client to A (no problem).
However, as I said, I'd like to also access machines on the B network,
although any attempts at setting up the routing seem to generate some
wild and crazy packet surges on B's firewall/NAT and do not seem to
allow for a 2-way connection for communications (machines on network B
SEE my packets, but don't know how to return them).
I would have thought that, if I had the VPN IP of 192.168.250.10, and
on network B, which has a VPN at 192.168.10.8, I could simply do a:
route add 192.168.250.10/32 192.168.10.8
And machines on the B network would then be able to reciprocate
communications back (and all would be happy). This does not seem to be
the case.
IP Forwarding is enabled on both VPN endpoints (networks A and B), and
I wouldn't imagine it being needed on the single machine TunnelBlick
clients.
-=-=-=-
Both VPN servers are running Linux. The majority of machines involved
here are running Linux.
Network B's firewall/NAT is OpenBSD.
A couple of the "From Home" clients are DD-WRT'ed/OpenWRT Linux-based
Linksys APs, and 2-4 MacOS X "from elsewhere" TunnelBlick clients. TUN
on all.
Like I said, things mostly work, but it would be nice to get this
"fringe client access to other VPN network" access going, as it would
facilitate communications on some projects in very big ways.
Any pointers or suggestions to information I would need to pursue are
most welcome, and if anyone would be interested in fielding any
particular configuration settings and network settings I'd be willing to
oblige (just let me know what configs you'd like to see).
We've picked up most this by learning. I for one have not done anywhere
near the level of network routing before starting to play with the VPNs,
so I acknowledge I may be missing some critical pieces here and there.
Aside from pings and ssh attempts, I am doing a lot of debugging using
tcpdump to sniff on appropriate tunnel and eth interfaces, so I can tell
how far and in what fashion packets are travelling, which has greatly
helped in getting proper understanding of the routes needing to be in
place. But this one just has me confounded.
Thanks for any suggestions/information.
-Matthew
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|