Hello everybody! Looks like I need help with OpenVPN tuning… The situation is: we have a Debian-based (software) OpenVPN server and Turris Omnia as a vpn-client. There are 2 networks - network behind VPN-server is 192.168.12.0/24 and the network 192.168.8.0/24 is behind of Turris. So this is config of VPN-server:
port 1194
proto udp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh2048.pem

server 192.168.6.0 255.255.255.0 #tunnel network
ifconfig-pool-persist /var/log/ipp.txt
push “route 192.168.12.0 255.255.255.0” #network behind server

client-config-dir /etc/openvpn/ccd
route 192.168.8.0 255.255.255.0 #network behind client

;client-to-client
keepalive 5 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log

log-append /var/log/openvpn.log
verb 0

mute 20
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push “rcvbuf 393216”

So connection is OK but there are problems with routing. Clients from networks 192.168.8.0/24 and 192.168.12.0/24 doesn’t see each other. Should I add some routes manually on Turris Omnia? Thank you for advices

I’m not sure if it will be sufficient, but for sure you’ll need to set “internal routes” (option iroute) for the two networks. See the openVPN documentation for that (you’ll need client-specific configuration for the two gateways which are connected, which will land in ccd).
Either way, I had a similar set up and I also added manual routing afterwards.

Can you send your config to me if possible? I want to compare… Thank you

My main configuration is here: Openvpn client AND server at the same time?

Server is on 192.168.10.0/24 and client on 192.168.20.0/24: both are Omnias.

For the ccd bit, I have, on the server, for the client

# cat /etc/openvpn/ccd/client
iroute 192.168.20.0 255.255.255.0

I also set a static route for the clients in /etc/config/network, on the server:

config route
        option interface 'lan'
        option target '192.168.20.0'
        option netmask '255.255.255.0'
        option gateway '10.8.4.4' # VPN IP of the client

The client has a similar configuration:

config route
        option interface 'lan'
        option target '192.168.10.0'
        option netmask '255.255.255.0'
        option gateway '10.8.4.1' # VPN IP of the server

Also, make sure you have masquerading enabled for your VPN interfaces.

Excuse me - this part is very important as I can see:

cat /etc/openvpn/ccd/client

iroute 192.168.20.0 255.255.255.0

Should I give name ‘client’ to this file? Is it strong requirement? I named it ‘turris’ and tunnel is not working…

It needs to be the exact name you have given to your client certificate (so if your client is named “client1” and uses “client1.crt”, it should be “client1”). The openVPN reference on client-specific configuration will help.
It may also help if you debug thigns by running openvpn in the console against the configuration file, so that you’ll see on screen the output.

This may also help: https://serverfault.com/questions/593314/openvpn-routing-for-lan-to-lan-through-tun

I am very sorry for disturbing but something goes wrong… The scheme now is: 192.168.1.0/24 <—>Turris (192.168.1.10) <----------->Debian (VPN server, 192.168.10.10, real_IP) <—> 192.168.10.0/24

This is my OpenVPN server config (Debian 9):
port 1194
proto udp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret

dh /etc/openvpn/server/dh1024.pem

server 192.168.2.0 255.255.255.0 #tunnel network
ifconfig-pool-persist /var/log/ipp.txt
push “route 192.168.10.0 255.255.255.0” #network behind VPN server

client-config-dir /etc/openvpn/ccd
route 192.168.1.0 255.255.255.0 #network behind VPN client (Turris)

keepalive 5 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log

log-append /var/log/openvpn.log
verb 0

Content of /etc/openvpn/ccd/turris:
iroute 192.168.1.0 255.255.255.0

I’ve already copied all necessary certificates to Turris (this is Turris client config):
config openvpn sample_client
option enabled 1
option client 1
option dev tun
option proto udp
list remote "real_IP_of_Debian_VPN_server 1194"
option resolv_retry infinite
option nobind 1
option persist_key 1
option persist_tun 1
option user nobody
option ca /etc/openvpn/ca.crt
option cert /etc/openvpn/turris.crt #name of client cert is turris
option key /etc/openvpn/turris.key #name of client key is turris
option comp_lzo yes
option verb 3

So tunnel exists but I can’t ping from network 192.168.1.0/24 to network 192.168.10.0/24 (and in reverse direction also).

Can you try setting up static routes? At least the server and the client should see the networks, but machines in the networks have no idea on how to send data back (unless you set up routing, see above for what I did).

No, just these options in config. I mean - iroute and push route. Can you tell me what exactly should I setting up in my case? We shouldn’t add any routes on office machines (route add).

You don’t need routes on the machines, but just on the gateways.

# on Turris, with IP 192.168.1.10
ip route add 192.168.10.0/24 via $DEBIAN_VPN_IP

# on Debian, with IP 192.168.10.10
ip route add 192.168.1.10/24 via $TURRIS_VPN_IP

Subsititute the two IPs for the ones you get after the tunnel is established. You can also add client-to-client in the openVPN server config to see if it helps.
Also, did you set up masquerading for the VPN interfaces (I assume yes)?

Yes, Turris is gateway (all the machines behind it have Internet access). All the same with a Debian gateway (OpenVPN server). First of all - this is route command for Turris:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default static-real_IP 0.0.0.0 UG 0 0 0 eth1
real_IP * 255.255.255.252 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.2.1 192.168.2.5 255.255.255.255 UGH 0 0 0 tun0
192.168.2.5 * 255.255.255.255 UH 0 0 0 tun0
192.168.10.0 192.168.2.5 255.255.255.0 UG 0 0 0 tun0

and its network interface tun:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.2.6 P-t-P:192.168.2.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2124 (2.0 KiB) TX bytes:1316 (1.2 KiB)

So I tried to add route (as you adviced) - result is bad:

root@turris:/etc/openvpn# ip route add 192.168.10.0/24 via 192.168.2.1
RTNETLINK answers: Network unreachable

Here is a ping from Turris to network behind Debian, it’s OK:

root@turris:/etc/openvpn# ping 192.168.10.5
PING 192.168.10.5 (192.168.10.5): 56 data bytes
64 bytes from 192.168.10.5: seq=0 ttl=127 time=4.321 ms
64 bytes from 192.168.10.5: seq=1 ttl=127 time=3.863 ms
64 bytes from 192.168.10.5: seq=2 ttl=127 time=8.588 ms

Now please look at Debian side (VPN server):
route:

route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default real_gateway_IP 0.0.0.0 UG 0 0 0 ens192
localnet 0.0.0.0 255.255.255.224 U 0 0 0 ens192
192.168.1.0 192.168.2.2 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 192.168.2.2 255.255.255.0 UG 0 0 0 tun0
192.168.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 ens224

network interface of VPN server:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 255.255.255.255 destination 192.168.2.2
inet6 fe80::6a8:621b:55fd:a4d0 prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 20 bytes 1820 (1.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 46 bytes 2928 (2.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

And all the same - trying to add route:
root@openvpn:/home/garett# ip route add 192.168.1.0/24 via 192.168.2.6
RTNETLINK answers: Network is unreachable

But there is some different - ping from Debian to network 192.168.1.0/24 (behind Turris) is unavailable:
ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
From 192.168.2.6 icmp_seq=1 Destination Port Unreachable
From 192.168.2.6 icmp_seq=2 Destination Port Unreachable
From 192.168.2.6 icmp_seq=3 Destination Port Unreachable

Please help Have no idea what is wrong with configuration…

WHat’s the output of iptables -t nat -L on the Debian machine?
I remember having the same issues (one network worked, the other didn’t) but my memory is a bit fuzzy…

Uhm… did you set topology subnet in the openVPN server, as well? If it’s 2.4 it’s default, but < 2.4 don’t have that option as default, IIRC.

This is file /etc/iptables.rules:

cat /etc/iptables.rules
*filter
COMMIT
*nat
-A POSTROUTING -s 192.168.10.0/24 -o ens192 -j MASQUERADE
COMMIT

So it’s loading using /etc/network/interfaces:

pre-up iptables-restore < /etc/iptables.rules

Not sure How to check it?

I didn’t see it specified in your configuration file. Which of the two machines is acting as server?

Debian is VPN server

Then, try slapping topology subnet in the configuration file, and restart the server.

Hello again, I added topology subnet and now interface tun0 (Debian, VPN server) looks like:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 255.255.255.0 destination 192.168.2.1
inet6 fe80::7001:ebe3:6059:ae77 prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100

But, anyway, situation is the same. Turris see Debian and clients behind Debian, but Debian see just Turris but no clients behind it. How do you think - may be I can build test VM (Debian based also) as a OpenVPN client with the same configuration and same certificates to compare? Seems to me is something wrong with Turris…
P.S. Looks like I forget about config route - will try to configure this section:
config route
option interface 'sample_client’
option target '192.168.1.0’
option netmask '255.255.255.0’
option gateway ‘192.168.2.4’ # VPN IP of the client
Is it correct in my case?

I’m afraid I’m out of options, mainly because I don’t remember what I did back in the day. You may want to ask this question on Unix stack exchange, Super User, or the openVPN forums. If you do though, please post a link here so that other people interested in this can follow the trail.