Hey I'm trying to set up the same thing but using your instructions did not help. can you post the full config? Would be awesome! Currently, clients either don't route throug the vpn at all or can't connect to the outside internet at all. They can connect to the gateway-client though. So yeah if you could post the server and client configs, I'd really appreciate it!I had same requirement and solved that with l3 tun type. The idea was quiet simple: use ccd and put iroute 0.0.0.0 0.0.0.0 for the client I want to use as a gateway. I'm on OpenVPN 2.6_rc1. So, we should have at least 3 nodes in the network:Important options for server are:
- server - endpoint with a public IP (vps on debian in my case)
- client-gateway - a computer behind any firewalls / nat-s with internet access (I use raspberrypi at home, it's behind the provider's nat and my home router). This computer will be used as an exit node for all clients of the vpn.
- client device - any client to be routed via client-gateway. I have linux and android only, but suggest this will work for windows clients too.
Also dhcp and authentication must be configured. There is no specials here, just another network.Code:
dev tun1client-to-clienttopology subnet# We'll use this for our client-gateway special configclient-config-dir /etc/openvpn/ccd# Or use this option manually for all clients except client-gatewaypush "redirect-gateway autolocal"
The most important part - client-specific configuration for client-gateway node. It contains 2 options only:I have net.ipv4.conf.tun1.forwarding=0 on server, because all packets are routed internally by openvpn, I guess. They're probably not even passed to the kernel, so if u run tcpdump -i tun1 on server - it will be silent, and it's ok.Code:
# I bielive this one is optional, but haven't tested thatifconfig-push 10.5.5.2 255.255.255.0# This will route all the traffic onto our client-gateway nodeiroute 0.0.0.0 0.0.0.0
For the client-gateway the only important option is route-nopull since i'm pushing default route to each client. And since my client-gateway node is behind provider's nat and router I had to configure static route to vpn subnet via client-gateway on router box, to make it handle packets from tunnel properly. Or you can do masqerade onto client-gateway node. Anyway, net.ipv4.conf.tun1.forwarding must be enabled here.
All other clients have no special options.
I'm not very experienced in networking, but i've done a few tests with ip-checks and tcpdump. And it seems the traffic is routed correctly: client -> server -> client-gateway -> internet.
Statistics: Posted by stepeos — Sat Aug 31, 2024 5:49 pm