Vpn CentoOs 7.7

[corsaro8877]

Greetings to all, I set up a vpn host to site, I connect to the vpn correctly but I can't reach the PCs inside it

The pc hosting the vpn has ip
192.168.10.252/24 gw 192.168.10.1 interface enp3s0
10.10.10.0/24 interface tun0

The server router has ip 192.168.10.1
Door 1194 is correctly open, the connection is in fact established.
The problem is that from the client I don't ping the vpn network and I don't even reach the pc behind the vpn.
The vpn does not and must not act as a gateway to the network.

This is the server code

Code: Select all

# Secure OpenVPN Server Config

# Basic Connection Config
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 5

# Certs
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem


client-to-client

# Ciphers and Hardening
reneg-sec 0
remote-cert-tls client
crl-verify /etc/openvpn/server/crl.pem
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

# Drop Privs
user nobody
group nobody

# IP pool
server 10.10.10.0 255.255.255.0
;client-config-dir ccd

# Misc
persist-key
persist-tun
comp-lzo
duplicate-cn

# DHCP Push options force all traffic through VPN and sets DNS servers
;push "redirect-gateway def1"
;push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 8.8.4.4"
push "route 192.168.10.0 255.255.255.0"

# Logging
log-append /var/log/openvpn.log
verb 3

This is the client code

Code: Select all

client
dev tun
proto udp4

remote public_ip 1194

ca ca.crt
cert user.crt
key ueser.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256


resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

This is route -n

Code: Select all

[root@openvpn-srv openvpn]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.10.1    0.0.0.0         UG    100    0        0 enp3s0
10.10.10.0      10.10.10.2      255.255.255.0   UG    0      0        0 tun0
10.10.10.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp3s0

This is firewall-cmd --zone=public --list-all

Code: Select all

[root@openvpn-srv openvpn]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: dhcpv6-client openvpn ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I trust in your support.

Thanks

[jlehtone]

The problem is that from the client I don't ping the vpn network and I don't even reach the pc behind the vpn.
The vpn does not and must not act as a gateway to the network.

Gateway is a router.

Your openvpn-srv is connected to two networks: 192.168.10.0/24 and 10.10.10.0/24.

Code: Select all

PC --- 192.168.10.0/24 --- openvpn-srv --- 10.10.10.0/24 --- client

You want PC and client to communicate.

The vpn config should already tell client that "to 192.168.10.0/24 via vpn tunnel".
You have to tell the PC "to 10.10.10.0/24 via 192.168.10.252".

Routing must be enabled on openvpn-srv. I bet it is not.

Firewall on openvpn-srv must allow communication between the two networks. Alas, firewalld is not so nice on router.
See "Rich rules" in https://www.lisenet.com/2016/firewalld- ... -a-router/