[Question] Subnets routing

[Xplouder]

Greetings!

So I have this network architecture from a very basic ovpn_genconfig generated configs:

openvpn.conf

server 10.10.10.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/192.168.1.24.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/192.168.1.24.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
# push "route 192.168.2.0 255.255.255.0"

### Push Configurations Below
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

ovpn_env.sh

declare -x OVPN_AUTH=
declare -x OVPN_CIPHER=
declare -x OVPN_CLIENT_TO_CLIENT=
declare -x OVPN_CN=192.168.1.24
declare -x OVPN_COMP_LZO=0
declare -x OVPN_DEFROUTE=0
declare -x OVPN_DEVICE=tun
declare -x OVPN_DEVICEN=0
declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=1
declare -x OVPN_DNS=1
declare -x OVPN_DNS_SERVERS=([0]="8.8.8.8" [1]="8.8.4.4")
declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
declare -x OVPN_EXTRA_CLIENT_CONFIG=()
declare -x OVPN_EXTRA_SERVER_CONFIG=()
declare -x OVPN_FRAGMENT=
declare -x OVPN_KEEPALIVE='10 60'
declare -x OVPN_MTU=
declare -x OVPN_NAT=1
declare -x OVPN_PORT=1194
declare -x OVPN_PROTO=udp
declare -x OVPN_PUSH=()
declare -x OVPN_ROUTES=()
declare -x OVPN_SERVER=10.10.10.0/24
declare -x OVPN_SERVER_URL=udp://192.168.1.24
declare -x OVPN_TLS_CIPHER=

docker-compose.yaml

version: "3.6"

services:
  open-vpn:
    image: kylemanna/openvpn
    ports:
      - "1194:1194/udp"
    cap_add:
      - NET_ADMIN
    volumes:
      - type: bind
        source: ./config
        target: /etc/openvpn
    networks:
      stack_network:

networks:
  stack_network:

volumes:
  ovpn-data:

What I was expecting:

• with the VPN client connected be able to ping at most the VPN gateway 10.10.10.1
• need to add push "route 192.168.2.0 255.255.255.0" to allow the clients "see" 192.168.2.0/24

What I get:

• I can ping VPN gateway and every host of VPN Host Subnets from 192.168.1.0/24, 192.168.2.0/24

Why is this happening? I did not include the IPTable rules, which I did not change from the default ones generated from docker or this image itself but if you feel like you need it to debug too let me know.

Thank you.

[scmanjarrez]

Hi, how exactly are deployed 10.10.10.2, 192.168.1.74 and 192.168.2.10? Are they running in a docker container (if so, are they configured in a docker network)?

[Xplouder]

They are not in the docker network, imagine those 3 as simple machines without docker.

• 10.10.10.2 is a client that points to 192.168.1.24 but could be a domain name, would be the same thing, just for simplicity of the tests both VPN client and VPN gateway are on the same machine that's why I can point directly to private IP.
• 192.168.1.74 and 192.168.2.10 belong to distinct private networks where the VPN host belongs too.

[scmanjarrez]

Check ping routing using traceroute. Could be that *.10.2 is using vpn host to route 192.168.* packages? We have to discard all options.

[Xplouder]

Here is the traceroute from the VPN client. Ignore the 172.30.0.1, I just restarted the docker network and is assigned a new subnet but the previous one which matches the above diagram is 172.28.0.1. So seems like you said, it is using the VPN Host to do the routing... but why? Since my ovpn_genconfig's generated configs are pretty standard.

[scmanjarrez]

Ok, are you using docker default network in your VPN server? or did you create an isolated docker network? I think docker creates iptable rules to forward packages to VPN host when you use the default network (bridge).

[Xplouder]

Updated the original post to include the docker-compose.yaml that I'm using. And yes I have a named network but it is bridged by docker default.

[scmanjarrez]

Looking at your network schema, VPN server doesn't have direct routing to 192.*, so it uses its default route (VPN host), packages go through VPN host and from there, to 192.*. If you don't want that, either change default route of your VPN server or create an explicit iptables rule (VPN host) to drop packages coming from VPN server and pointing to 192.* subnets.