Network between 2 instances of OpenVPN
There are some reasons when you have two or more instances on one server.
Assume that:
- Clients of the first instance are in
10.8.0.0/24 - Clients of second in
10.8.1.0/24 - Server IPs is
10.8.0.1(tun0interface) and10.8.1.1(tun1). - Each network has clients
10.8.0.2and10.8.1.2.
Task is allow ping between 10.8.0.2 and 10.8.1.2 .
Add routes
On 10.8.1.2 we need to add route to 10.8.0.0/24 network via IP 10.8.1.1.
Knowing this OS will forward packets with IP 10.8.0.ххх to 10.8.1.1, so they will go to server and appear on tun1.
1st way to make it manually
1st way to make it manually, e.g. if Client 2 run Windows:
route -p add 10.8.0.0 mask 255.255.255.0 10.8.1.1
Same thing with Client 1, e.g. if it runs Linux:
route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.0.1
This is not the cool way because it needs performing manual actions on clients and after reboot, changes will be lost.
2nd and correct way is to use automatic routes
We need to configure them with push "route х.х.х.х mask" option.
For 10.8.1.0/24 network OpenVPN config we need to add:
push "route 10.8.0.0 255.255.255.0"
In this case, when Client 2 will connect to OpenVPN it will automatically do things that we performed manually. Add the same line but with route 10.8.1.0 to another config.
IP Forward in sysctl
Add (or uncomment) next to /etc/sysctl.conf
net.ipv4.ip_forward=1
and reload it:
sysctl --system
iptables
The last thing: change iptables on the server:
iptables -A FORWARD -i tun1 -o tun0 -s 10.8.1.0/24 -d 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -o tun1 -s 10.8.0.0/24 -d 10.8.1.0/24 -j ACCEPT
Also, take care of persistent saving iptables settings.
