search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.26k stars 2.92k forks source link

OpenVPN does not use the default 10.8.0.0/24 network segment and cannot be forwarded? #504

Closed 6triker closed 4 months ago

6triker commented 4 months ago

OpenVPN does not use the default 10.8.0.0/24 network segment and cannot be forwarded

ordex commented 4 months ago

OpenVPN uses the network segment you set in the configuration. There is no hard coded value. If you are encountering some issue, please share config and log files. Thanks!

TinCanTech commented 4 months ago

Appears to be related to: https://github.com/angristan/openvpn-install/issues/1206

6triker commented 4 months ago

OpenVPN uses the network segment you set in the configuration. There is no hard coded value. If you are encountering some issue, please share config and log files. Thanks!

[root@dev ~]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.8.1 0.0.0.0 UG 0 0 0 ens18 10.8.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 ens18 [root@dev ~]# cat /etc/iptables/add-openvpn-rules.sh

!/bin/sh

iptables -t nat -I POSTROUTING 1 -s 10.8.16.0/24 -o ens18 -j MASQUERADE iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I FORWARD 1 -i ens18 -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o ens18 -j ACCEPT iptables -I INPUT 1 -i ens18 -p tcp --dport 1194 -j ACCEPT [root@dev ~]# cat /etc/openvpn/server.conf port 1194 proto tcp dev tun user nobody group nobody persist-key persist-tun keepalive 10 120 topology subnet server 10.8.16.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.8.0 255.255.255.0 vpn_gateway" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key crl-verify crl.pem ca ca.crt cert server_maXx0LQwcdJ5XtrS.crt key server_maXx0LQwcdJ5XtrS.key auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 client-config-dir /etc/openvpn/ccd status /var/log/openvpn/status.log verb 3

The client cannot access other addresses in the 192.168.8.0 network segment. Is there a problem with my configuration?

6triker commented 4 months ago

OpenVPN uses the network segment you set in the configuration. There is no hard coded value. If you are encountering some issue, please share config and log files. Thanks!

[root@dev ~]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.8.1 0.0.0.0 UG 0 0 0 ens18 10.8.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 ens18 [root@dev ~]# cat /etc/iptables/add-openvpn-rules.sh #!/bin/sh iptables -t nat -I POSTROUTING 1 -s 10.8.16.0/24 -o ens18 -j MASQUERADE iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I FORWARD 1 -i ens18 -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o ens18 -j ACCEPT iptables -I INPUT 1 -i ens18 -p tcp --dport 1194 -j ACCEPT [root@dev ~]# cat /etc/openvpn/server.conf port 1194 proto tcp dev tun user nobody group nobody persist-key persist-tun keepalive 10 120 topology subnet server 10.8.16.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.8.0 255.255.255.0 vpn_gateway" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key crl-verify crl.pem ca ca.crt cert server_maXx0LQwcdJ5XtrS.crt key server_maXx0LQwcdJ5XtrS.key auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 client-config-dir /etc/openvpn/ccd status /var/log/openvpn/status.log verb 3

The client cannot access other addresses in the 192.168.8.0 network segment. Is there a problem with my configuration?

Through the iptables log, it was found that the packet has been forwarded, and if it does not flow properly, it should be unrelated to the VPN. We are currently investigating!