Possible to connect multiple VPN clients to each other through the server?

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2

Other

25.27k stars 6.32k forks source link

Possible to connect multiple VPN clients to each other through the server? #51

Closed ondrejmirtes closed 8 years ago

ondrejmirtes commented 8 years ago

Hi, I used your script and tutorial to install VPN server on my public VPS. I'd like to use it to connect to my homeserver (where I installed VPN client also according to your tutorial) from other clients.

The issue is that each client creates a separate pppX interface on the server with 255.255.255.255 netmask so server can ping them and they can ping the server, but the clients cannot see each other.

Is there anything I can do to fix this issue, is there a different mode supported by IPSec used to connect the clients to each other?

hwdsl2 commented 8 years ago

@ondrejmirtes The VPN clients are assigned IPs starting from 192.168.42.10 within the VPN. The default setup already enables VPN clients to connect to each other. The VPN server will forward traffic among them.

For example, if your home server is assigned 192.168.42.10, other VPN clients can use this IP to connect to it. If unable to connect, check the firewall on your home server. It must allow access from 192.168.42.0/24.

ondrejmirtes commented 8 years ago

Thanks a lot. I can definitely ping between my other devices through the VPN so the issue will be the firewall on my homeserver. I will let you know after I fixed it.

One more issue I'm facing (I realize I'm asking general VPN questions, but you have expertise with the stack I'm using so I'd be glad if you helped me): The client on the homeserver disconnects from the VPN after minutes of inactivity. How can I fix it to be persistent connection? Should I just reconnect after each disconnect or are there any config values I can tune? Is dpdtimeout/dpdaction related to that? Thank you!

hwdsl2 commented 8 years ago

@ondrejmirtes You're welcome. Please check and remove any "idle" options in /etc/ppp/options.xl2tpd.

To auto reconnect, try dpdaction=restart in ipsec.conf [1]. In addition, here's a working configuration for Linux clients using Strongswan [2]. For Strongswan, also see [3] for how to auto restart the connection.

[1] https://libreswan.org/man/ipsec.conf.5.html [2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux [3] https://wiki.strongswan.org/issues/825

ondrejmirtes commented 8 years ago

@hwdsl2 Thank you! One more thing: is there an elegant way how to connect to the VPN after boot? AFAIK he first part of the connection is already done (sudo ipsec up XXXX), but the second part (authenticating by echoing to /var/run/... my credentials) is not, but I'm not sure when can I do it so the connection is already initialized.

hwdsl2 commented 8 years ago

@ondrejmirtes The "echoing to /var/run ..." step can be run a few seconds after the "sudo ipsec up" step. Try using the "sleep" command with e.g. a 10-second delay. Adjust this delay as necessary. You can put those commands in /etc/rc.local.