How to set up one OpenVPN client as gateway for others?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I try to set up my OpenVPN network and now I have:
- 10.9.1.1 - server (manjaro linux)
- 10.9.1.8 - client (ubuntu 16.04)
- 10.9.1.12 - client
I want to set 10.9.1.8 as gateway for 10.9.1.12 client.
How to achieve that?
What I have unfortunnately done:
- enabled net.ipv4.ip_forward both on 10.9.1.1 and 10.9.1.8
- set up iptables on 10.9.1.1 with:
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*mangle
:PREROUTING ACCEPT [110603:60535351]
:INPUT ACCEPT [100907:58448049]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [95123:49910955]
:POSTROUTING ACCEPT [95825:49957792]
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*nat
:PREROUTING ACCEPT [10463:2162687]
:INPUT ACCEPT [1080:96754]
:OUTPUT ACCEPT [2086:138622]
:POSTROUTING ACCEPT [2088:139166]
-A POSTROUTING -m mark --mark 0xc8 -j SNAT --to-source 10.9.1.1
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*filter
:INPUT ACCEPT [108740:59988331]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [102931:52099400]
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
- Set up routes and rules on 10.9.1.1
# ip route show table ovpn
default via 10.9.1.8 dev tun0
# ip rule show
0: from all lookup local
32764: from all fwmark 0xc8 lookup ovpn
32765: from all fwmark 0xc8 lookup ovpn
32766: from all lookup main
32767: from all lookup default
- Masquerading on 10.9.1.8
*nat
-A POSTROUTING -s 10.9.1.0/24 -o eth0 -j MASQUERADE
But when I connect 10.9.1.12 and make ping 8.8.8.8 I have this into tcp_dump:
00:01:58.643578 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2073, seq 1, length 64
00:02:00.680303 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2074, seq 1, length 64
00:02:00.680377 Out 10.9.1.1 > 10.9.1.12: ICMP time exceeded in-transit, length 92
00:02:00.695581 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:00.695621 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:02.727047 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:02.727106 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:04.764913 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:04.764969 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:06.798658 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:06.798719 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:08.820212 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:08.820269 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:10.844821 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
00:02:10.844878 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
and 100% lost packages.
linux networking routing openvpn gateway
add a comment |Â
up vote
0
down vote
favorite
I try to set up my OpenVPN network and now I have:
- 10.9.1.1 - server (manjaro linux)
- 10.9.1.8 - client (ubuntu 16.04)
- 10.9.1.12 - client
I want to set 10.9.1.8 as gateway for 10.9.1.12 client.
How to achieve that?
What I have unfortunnately done:
- enabled net.ipv4.ip_forward both on 10.9.1.1 and 10.9.1.8
- set up iptables on 10.9.1.1 with:
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*mangle
:PREROUTING ACCEPT [110603:60535351]
:INPUT ACCEPT [100907:58448049]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [95123:49910955]
:POSTROUTING ACCEPT [95825:49957792]
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*nat
:PREROUTING ACCEPT [10463:2162687]
:INPUT ACCEPT [1080:96754]
:OUTPUT ACCEPT [2086:138622]
:POSTROUTING ACCEPT [2088:139166]
-A POSTROUTING -m mark --mark 0xc8 -j SNAT --to-source 10.9.1.1
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*filter
:INPUT ACCEPT [108740:59988331]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [102931:52099400]
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
- Set up routes and rules on 10.9.1.1
# ip route show table ovpn
default via 10.9.1.8 dev tun0
# ip rule show
0: from all lookup local
32764: from all fwmark 0xc8 lookup ovpn
32765: from all fwmark 0xc8 lookup ovpn
32766: from all lookup main
32767: from all lookup default
- Masquerading on 10.9.1.8
*nat
-A POSTROUTING -s 10.9.1.0/24 -o eth0 -j MASQUERADE
But when I connect 10.9.1.12 and make ping 8.8.8.8 I have this into tcp_dump:
00:01:58.643578 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2073, seq 1, length 64
00:02:00.680303 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2074, seq 1, length 64
00:02:00.680377 Out 10.9.1.1 > 10.9.1.12: ICMP time exceeded in-transit, length 92
00:02:00.695581 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:00.695621 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:02.727047 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:02.727106 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:04.764913 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:04.764969 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:06.798658 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:06.798719 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:08.820212 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:08.820269 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:10.844821 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
00:02:10.844878 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
and 100% lost packages.
linux networking routing openvpn gateway
1
Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
â roaima
Apr 28 at 7:34
@roaima I haven't parse you comment. Could you explain it?
â bvn13
Apr 28 at 8:04
1
You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
â roaima
Apr 28 at 8:42
@roaima could you give me an example of networks described by you?
â bvn13
Apr 28 at 11:09
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I try to set up my OpenVPN network and now I have:
- 10.9.1.1 - server (manjaro linux)
- 10.9.1.8 - client (ubuntu 16.04)
- 10.9.1.12 - client
I want to set 10.9.1.8 as gateway for 10.9.1.12 client.
How to achieve that?
What I have unfortunnately done:
- enabled net.ipv4.ip_forward both on 10.9.1.1 and 10.9.1.8
- set up iptables on 10.9.1.1 with:
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*mangle
:PREROUTING ACCEPT [110603:60535351]
:INPUT ACCEPT [100907:58448049]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [95123:49910955]
:POSTROUTING ACCEPT [95825:49957792]
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*nat
:PREROUTING ACCEPT [10463:2162687]
:INPUT ACCEPT [1080:96754]
:OUTPUT ACCEPT [2086:138622]
:POSTROUTING ACCEPT [2088:139166]
-A POSTROUTING -m mark --mark 0xc8 -j SNAT --to-source 10.9.1.1
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*filter
:INPUT ACCEPT [108740:59988331]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [102931:52099400]
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
- Set up routes and rules on 10.9.1.1
# ip route show table ovpn
default via 10.9.1.8 dev tun0
# ip rule show
0: from all lookup local
32764: from all fwmark 0xc8 lookup ovpn
32765: from all fwmark 0xc8 lookup ovpn
32766: from all lookup main
32767: from all lookup default
- Masquerading on 10.9.1.8
*nat
-A POSTROUTING -s 10.9.1.0/24 -o eth0 -j MASQUERADE
But when I connect 10.9.1.12 and make ping 8.8.8.8 I have this into tcp_dump:
00:01:58.643578 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2073, seq 1, length 64
00:02:00.680303 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2074, seq 1, length 64
00:02:00.680377 Out 10.9.1.1 > 10.9.1.12: ICMP time exceeded in-transit, length 92
00:02:00.695581 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:00.695621 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:02.727047 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:02.727106 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:04.764913 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:04.764969 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:06.798658 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:06.798719 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:08.820212 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:08.820269 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:10.844821 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
00:02:10.844878 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
and 100% lost packages.
linux networking routing openvpn gateway
I try to set up my OpenVPN network and now I have:
- 10.9.1.1 - server (manjaro linux)
- 10.9.1.8 - client (ubuntu 16.04)
- 10.9.1.12 - client
I want to set 10.9.1.8 as gateway for 10.9.1.12 client.
How to achieve that?
What I have unfortunnately done:
- enabled net.ipv4.ip_forward both on 10.9.1.1 and 10.9.1.8
- set up iptables on 10.9.1.1 with:
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*mangle
:PREROUTING ACCEPT [110603:60535351]
:INPUT ACCEPT [100907:58448049]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [95123:49910955]
:POSTROUTING ACCEPT [95825:49957792]
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*nat
:PREROUTING ACCEPT [10463:2162687]
:INPUT ACCEPT [1080:96754]
:OUTPUT ACCEPT [2086:138622]
:POSTROUTING ACCEPT [2088:139166]
-A POSTROUTING -m mark --mark 0xc8 -j SNAT --to-source 10.9.1.1
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*filter
:INPUT ACCEPT [108740:59988331]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [102931:52099400]
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
- Set up routes and rules on 10.9.1.1
# ip route show table ovpn
default via 10.9.1.8 dev tun0
# ip rule show
0: from all lookup local
32764: from all fwmark 0xc8 lookup ovpn
32765: from all fwmark 0xc8 lookup ovpn
32766: from all lookup main
32767: from all lookup default
- Masquerading on 10.9.1.8
*nat
-A POSTROUTING -s 10.9.1.0/24 -o eth0 -j MASQUERADE
But when I connect 10.9.1.12 and make ping 8.8.8.8 I have this into tcp_dump:
00:01:58.643578 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2073, seq 1, length 64
00:02:00.680303 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2074, seq 1, length 64
00:02:00.680377 Out 10.9.1.1 > 10.9.1.12: ICMP time exceeded in-transit, length 92
00:02:00.695581 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:00.695621 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:02.727047 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:02.727106 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:04.764913 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:04.764969 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:06.798658 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:06.798719 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:08.820212 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:08.820269 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:10.844821 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
00:02:10.844878 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
and 100% lost packages.
linux networking routing openvpn gateway
asked Apr 28 at 7:17
bvn13
11
11
1
Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
â roaima
Apr 28 at 7:34
@roaima I haven't parse you comment. Could you explain it?
â bvn13
Apr 28 at 8:04
1
You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
â roaima
Apr 28 at 8:42
@roaima could you give me an example of networks described by you?
â bvn13
Apr 28 at 11:09
add a comment |Â
1
Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
â roaima
Apr 28 at 7:34
@roaima I haven't parse you comment. Could you explain it?
â bvn13
Apr 28 at 8:04
1
You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
â roaima
Apr 28 at 8:42
@roaima could you give me an example of networks described by you?
â bvn13
Apr 28 at 11:09
1
1
Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
â roaima
Apr 28 at 7:34
Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
â roaima
Apr 28 at 7:34
@roaima I haven't parse you comment. Could you explain it?
â bvn13
Apr 28 at 8:04
@roaima I haven't parse you comment. Could you explain it?
â bvn13
Apr 28 at 8:04
1
1
You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
â roaima
Apr 28 at 8:42
You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
â roaima
Apr 28 at 8:42
@roaima could you give me an example of networks described by you?
â bvn13
Apr 28 at 11:09
@roaima could you give me an example of networks described by you?
â bvn13
Apr 28 at 11:09
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440544%2fhow-to-set-up-one-openvpn-client-as-gateway-for-others%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
â roaima
Apr 28 at 7:34
@roaima I haven't parse you comment. Could you explain it?
â bvn13
Apr 28 at 8:04
1
You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
â roaima
Apr 28 at 8:42
@roaima could you give me an example of networks described by you?
â bvn13
Apr 28 at 11:09