There are some reasons when you have two or more instances on one server.
Assume that:
- Clients of first instance are in
10.8.0.0/24
- Clients of second in
10.8.1.0/24
- Server IPs is
10.8.0.1
(tun0
interface) and10.8.1.1
(tun1
). - Each network has clients
10.8.0.2
and10.8.1.2
.
Task is allow ping
between 10.8.0.2
and 10.8.1.2
.
Add routes
On 10.8.1.2
we need to add route to 10.8.0.0/24
network via IP 10.8.1.1
.
Knowing this OS will forward packets with IP 10.8.0.ххх
to 10.8.1.1
, so they will go to server and appear on tun1
.
1st way to make it manually, e.g. if Client 2
run Windows
:
route -p add 10.8.0.0 mask 255.255.255.0 10.8.1.1
Same Same thig with Client 1
, e.g. if it run Linux
:
route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.0.1
This is not cool way because it needs performing manual actions on clients and after reboot changes will be lost.
2nd and correct way is use automatic routes configuring with push "route х.х.х.х mask"
option.
For 10.8.1.0/24
network openvpn config we need to add:
push "route 10.8.0.0 255.255.255.0"
In this case, when Client 2
will connect to OpenVPN it will automaticaly do things that we performed manually. Add same line but with route 10.8.1.0
to another config.
IP Forward in sysctl
Add (or uncomment) next to /etc/sysctl.conf
net.ipv4.ip_forward=1
and reload it:
sysctl --system
iptables
The last thing change iptables on server:
iptables -A FORWARD -i tun1 -o tun0 -s 10.8.1.0/24 -d 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -o tun1 -s 10.8.0.0/24 -d 10.8.1.0/24 -j ACCEPT
Also take care about persistent saving iptables settings.