How to set up one OpenVPN client as gateway for others?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












I try to set up my OpenVPN network and now I have:



  • 10.9.1.1 - server (manjaro linux)

  • 10.9.1.8 - client (ubuntu 16.04)

  • 10.9.1.12 - client

I want to set 10.9.1.8 as gateway for 10.9.1.12 client.



How to achieve that?



What I have unfortunnately done:



  1. enabled net.ipv4.ip_forward both on 10.9.1.1 and 10.9.1.8

  2. set up iptables on 10.9.1.1 with:



# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*mangle
:PREROUTING ACCEPT [110603:60535351]
:INPUT ACCEPT [100907:58448049]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [95123:49910955]
:POSTROUTING ACCEPT [95825:49957792]
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*nat
:PREROUTING ACCEPT [10463:2162687]
:INPUT ACCEPT [1080:96754]
:OUTPUT ACCEPT [2086:138622]
:POSTROUTING ACCEPT [2088:139166]
-A POSTROUTING -m mark --mark 0xc8 -j SNAT --to-source 10.9.1.1
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*filter
:INPUT ACCEPT [108740:59988331]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [102931:52099400]
COMMIT
# Completed on Fri Apr 27 23:50:30 2018



  1. Set up routes and rules on 10.9.1.1


# ip route show table ovpn
default via 10.9.1.8 dev tun0

# ip rule show
0: from all lookup local
32764: from all fwmark 0xc8 lookup ovpn
32765: from all fwmark 0xc8 lookup ovpn
32766: from all lookup main
32767: from all lookup default


  1. Masquerading on 10.9.1.8


*nat
-A POSTROUTING -s 10.9.1.0/24 -o eth0 -j MASQUERADE


But when I connect 10.9.1.12 and make ping 8.8.8.8 I have this into tcp_dump:




00:01:58.643578 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2073, seq 1, length 64
00:02:00.680303 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2074, seq 1, length 64
00:02:00.680377 Out 10.9.1.1 > 10.9.1.12: ICMP time exceeded in-transit, length 92
00:02:00.695581 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:00.695621 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:02.727047 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:02.727106 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:04.764913 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:04.764969 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:06.798658 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:06.798719 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:08.820212 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:08.820269 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:10.844821 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
00:02:10.844878 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64


and 100% lost packages.







share|improve this question















  • 1




    Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
    – roaima
    Apr 28 at 7:34










  • @roaima I haven't parse you comment. Could you explain it?
    – bvn13
    Apr 28 at 8:04






  • 1




    You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
    – roaima
    Apr 28 at 8:42










  • @roaima could you give me an example of networks described by you?
    – bvn13
    Apr 28 at 11:09














up vote
0
down vote

favorite
1












I try to set up my OpenVPN network and now I have:



  • 10.9.1.1 - server (manjaro linux)

  • 10.9.1.8 - client (ubuntu 16.04)

  • 10.9.1.12 - client

I want to set 10.9.1.8 as gateway for 10.9.1.12 client.



How to achieve that?



What I have unfortunnately done:



  1. enabled net.ipv4.ip_forward both on 10.9.1.1 and 10.9.1.8

  2. set up iptables on 10.9.1.1 with:



# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*mangle
:PREROUTING ACCEPT [110603:60535351]
:INPUT ACCEPT [100907:58448049]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [95123:49910955]
:POSTROUTING ACCEPT [95825:49957792]
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*nat
:PREROUTING ACCEPT [10463:2162687]
:INPUT ACCEPT [1080:96754]
:OUTPUT ACCEPT [2086:138622]
:POSTROUTING ACCEPT [2088:139166]
-A POSTROUTING -m mark --mark 0xc8 -j SNAT --to-source 10.9.1.1
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*filter
:INPUT ACCEPT [108740:59988331]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [102931:52099400]
COMMIT
# Completed on Fri Apr 27 23:50:30 2018



  1. Set up routes and rules on 10.9.1.1


# ip route show table ovpn
default via 10.9.1.8 dev tun0

# ip rule show
0: from all lookup local
32764: from all fwmark 0xc8 lookup ovpn
32765: from all fwmark 0xc8 lookup ovpn
32766: from all lookup main
32767: from all lookup default


  1. Masquerading on 10.9.1.8


*nat
-A POSTROUTING -s 10.9.1.0/24 -o eth0 -j MASQUERADE


But when I connect 10.9.1.12 and make ping 8.8.8.8 I have this into tcp_dump:




00:01:58.643578 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2073, seq 1, length 64
00:02:00.680303 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2074, seq 1, length 64
00:02:00.680377 Out 10.9.1.1 > 10.9.1.12: ICMP time exceeded in-transit, length 92
00:02:00.695581 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:00.695621 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:02.727047 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:02.727106 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:04.764913 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:04.764969 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:06.798658 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:06.798719 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:08.820212 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:08.820269 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:10.844821 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
00:02:10.844878 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64


and 100% lost packages.







share|improve this question















  • 1




    Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
    – roaima
    Apr 28 at 7:34










  • @roaima I haven't parse you comment. Could you explain it?
    – bvn13
    Apr 28 at 8:04






  • 1




    You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
    – roaima
    Apr 28 at 8:42










  • @roaima could you give me an example of networks described by you?
    – bvn13
    Apr 28 at 11:09












up vote
0
down vote

favorite
1









up vote
0
down vote

favorite
1






1





I try to set up my OpenVPN network and now I have:



  • 10.9.1.1 - server (manjaro linux)

  • 10.9.1.8 - client (ubuntu 16.04)

  • 10.9.1.12 - client

I want to set 10.9.1.8 as gateway for 10.9.1.12 client.



How to achieve that?



What I have unfortunnately done:



  1. enabled net.ipv4.ip_forward both on 10.9.1.1 and 10.9.1.8

  2. set up iptables on 10.9.1.1 with:



# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*mangle
:PREROUTING ACCEPT [110603:60535351]
:INPUT ACCEPT [100907:58448049]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [95123:49910955]
:POSTROUTING ACCEPT [95825:49957792]
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*nat
:PREROUTING ACCEPT [10463:2162687]
:INPUT ACCEPT [1080:96754]
:OUTPUT ACCEPT [2086:138622]
:POSTROUTING ACCEPT [2088:139166]
-A POSTROUTING -m mark --mark 0xc8 -j SNAT --to-source 10.9.1.1
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*filter
:INPUT ACCEPT [108740:59988331]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [102931:52099400]
COMMIT
# Completed on Fri Apr 27 23:50:30 2018



  1. Set up routes and rules on 10.9.1.1


# ip route show table ovpn
default via 10.9.1.8 dev tun0

# ip rule show
0: from all lookup local
32764: from all fwmark 0xc8 lookup ovpn
32765: from all fwmark 0xc8 lookup ovpn
32766: from all lookup main
32767: from all lookup default


  1. Masquerading on 10.9.1.8


*nat
-A POSTROUTING -s 10.9.1.0/24 -o eth0 -j MASQUERADE


But when I connect 10.9.1.12 and make ping 8.8.8.8 I have this into tcp_dump:




00:01:58.643578 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2073, seq 1, length 64
00:02:00.680303 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2074, seq 1, length 64
00:02:00.680377 Out 10.9.1.1 > 10.9.1.12: ICMP time exceeded in-transit, length 92
00:02:00.695581 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:00.695621 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:02.727047 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:02.727106 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:04.764913 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:04.764969 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:06.798658 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:06.798719 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:08.820212 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:08.820269 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:10.844821 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
00:02:10.844878 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64


and 100% lost packages.







share|improve this question











I try to set up my OpenVPN network and now I have:



  • 10.9.1.1 - server (manjaro linux)

  • 10.9.1.8 - client (ubuntu 16.04)

  • 10.9.1.12 - client

I want to set 10.9.1.8 as gateway for 10.9.1.12 client.



How to achieve that?



What I have unfortunnately done:



  1. enabled net.ipv4.ip_forward both on 10.9.1.1 and 10.9.1.8

  2. set up iptables on 10.9.1.1 with:



# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*mangle
:PREROUTING ACCEPT [110603:60535351]
:INPUT ACCEPT [100907:58448049]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [95123:49910955]
:POSTROUTING ACCEPT [95825:49957792]
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
-A PREROUTING -s 10.9.1.12/32 -i tun0 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*nat
:PREROUTING ACCEPT [10463:2162687]
:INPUT ACCEPT [1080:96754]
:OUTPUT ACCEPT [2086:138622]
:POSTROUTING ACCEPT [2088:139166]
-A POSTROUTING -m mark --mark 0xc8 -j SNAT --to-source 10.9.1.1
COMMIT
# Completed on Fri Apr 27 23:50:30 2018
# Generated by iptables-save v1.6.2 on Fri Apr 27 23:50:30 2018
*filter
:INPUT ACCEPT [108740:59988331]
:FORWARD ACCEPT [740:50674]
:OUTPUT ACCEPT [102931:52099400]
COMMIT
# Completed on Fri Apr 27 23:50:30 2018



  1. Set up routes and rules on 10.9.1.1


# ip route show table ovpn
default via 10.9.1.8 dev tun0

# ip rule show
0: from all lookup local
32764: from all fwmark 0xc8 lookup ovpn
32765: from all fwmark 0xc8 lookup ovpn
32766: from all lookup main
32767: from all lookup default


  1. Masquerading on 10.9.1.8


*nat
-A POSTROUTING -s 10.9.1.0/24 -o eth0 -j MASQUERADE


But when I connect 10.9.1.12 and make ping 8.8.8.8 I have this into tcp_dump:




00:01:58.643578 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2073, seq 1, length 64
00:02:00.680303 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2074, seq 1, length 64
00:02:00.680377 Out 10.9.1.1 > 10.9.1.12: ICMP time exceeded in-transit, length 92
00:02:00.695581 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:00.695621 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2075, seq 1, length 64
00:02:02.727047 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:02.727106 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2076, seq 1, length 64
00:02:04.764913 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:04.764969 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2077, seq 1, length 64
00:02:06.798658 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:06.798719 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2078, seq 1, length 64
00:02:08.820212 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:08.820269 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2079, seq 1, length 64
00:02:10.844821 In 10.9.1.12 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64
00:02:10.844878 Out 10.9.1.1 > 8.8.8.8: ICMP echo request, id 2080, seq 1, length 64


and 100% lost packages.









share|improve this question










share|improve this question




share|improve this question









asked Apr 28 at 7:17









bvn13

11




11







  • 1




    Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
    – roaima
    Apr 28 at 7:34










  • @roaima I haven't parse you comment. Could you explain it?
    – bvn13
    Apr 28 at 8:04






  • 1




    You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
    – roaima
    Apr 28 at 8:42










  • @roaima could you give me an example of networks described by you?
    – bvn13
    Apr 28 at 11:09












  • 1




    Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
    – roaima
    Apr 28 at 7:34










  • @roaima I haven't parse you comment. Could you explain it?
    – bvn13
    Apr 28 at 8:04






  • 1




    You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
    – roaima
    Apr 28 at 8:42










  • @roaima could you give me an example of networks described by you?
    – bvn13
    Apr 28 at 11:09







1




1




Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
– roaima
Apr 28 at 7:34




Your network looks wrong. Your OpenVPN client and server would usually be on different networks. You then use a third network for OpenVPN to join them. This third network cannot be used elsewhere in your network. Your third machine should be on the same LAN network as the second but this cannot be the same as the OpenVPN network.
– roaima
Apr 28 at 7:34












@roaima I haven't parse you comment. Could you explain it?
– bvn13
Apr 28 at 8:04




@roaima I haven't parse you comment. Could you explain it?
– bvn13
Apr 28 at 8:04




1




1




You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
– roaima
Apr 28 at 8:42




You need three networks. (1) For the server (2) For the client LAN, which both client machines must be on (3) For OpenVPN between the server and its client. // You appear to be trying to use the same network 10.9.1 for everything and that cannot work.
– roaima
Apr 28 at 8:42












@roaima could you give me an example of networks described by you?
– bvn13
Apr 28 at 11:09




@roaima could you give me an example of networks described by you?
– bvn13
Apr 28 at 11:09















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440544%2fhow-to-set-up-one-openvpn-client-as-gateway-for-others%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440544%2fhow-to-set-up-one-openvpn-client-as-gateway-for-others%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?