Doridian / wsvpn

VPN over WebSocket and WebTransport
BSD 3-Clause "New" or "Revised" License
131 stars 15 forks source link

Is it possible to reach client subnets from server side? #552

Closed lrodorigo closed 2 months ago

lrodorigo commented 4 months ago

As in the title, I am trying to reach a subnet on client side (192.168.0.0/24) from the server side. The first test I am trying to do, is to reach the vpn client from the vpn server, by using its ip on the eth0 interface. I am able to properly ping the VPN client by using the vpn adapter ip address.

192.168.9.1 <---(wsvpn)---> 192.168.9.2 on wsvpn if, 192.168.0.10 on eth0 if

But it seems that a tcpdump on the VPN CLIENT wsvpn interface is not receiving packets sent on the wsvpn tunnel, when the destination ip is not the ip address of the wsvpn iface. Is it correct? Am I missing something?

Regards

Is it

Doridian commented 4 months ago

@lrodorigo Such configuration is possible with routing entries as you described, given a couple constraints: Either of the following (TAP/TUN mode selection here: https://github.com/Doridian/wsvpn/blob/main/server/cli/server.example.yml#L4 ):

Ideally, if you configure WSVPN to TAP mode, this should "just work", as in this case WSVPN itself behaves like a normal "dumb" L2 network switch with some basic sanity checks (see allow-ip-spoofing and allow-client-to-client for examples if you need more advanced configs with clients needing to do more)

In case I am off base and you already use TAP mode, feel free to respond and ideally provide config snippets or full configs (with secrets and privacy sensitive details such as IPs redacted)

lrodorigo commented 4 months ago

Solved by switching to tap mode and allowing IP spoofing in order to receive IP packets with a source ip coming from the destination subnet, I think it is possible to overcome this by performing a better masquerading configuration.