Table of Contents

OpenVPN - Routing from Server to Client

To push routes from the server to a client.

Allow Port Forwarding

The machine that is going to function as the egress point to the Internet has to be configured to allow IPv4 forwarding.

In /etc/sysctl.conf, set net.ipv4.ip_forward to 1.

/etc/sysctl.conf
net.ipv4.ip_forward=1

Allow Masquerading

This allows packets intended to be forwarded from the internal network to the Internet to be re-tagged with the egress point external IP address.

The following firewall rules are needed: 

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG
iptables -A FORWARD -j DROP

NOTE:

  • eth0 is the egress interface.
  • tun0 is the internal interface.
  • The first rule causes traffic outbound on the egress interface to be masqueraded (NAT).
  • The second rule causes inbound traffic going from the egress interface to the internal interface to be accepted if it’s part of an established or related connection (i.e, packets coming back).
  • The third rule causes packets destined to be forwarded from the internal interface to the egress interface to be accepted.
  • The last two rules log anything else and drop them.

OpenVPN Server Configuration

The OpenVPN Server needs to be told what routes should be directed into the tun adapter.

In /etc/config/openvpn, add the following;

/etc/config/openvpn
list route '123.123.123.123 255.255.255.255'
list route '234.234.234.234 255.255.255.255'

NOTE: When OpenVPN is restarted, it will automatically put the correct entries in your router’s routing table to direct traffic to those IPs out your tun adapter.

OpenVPN Client Configuration (on server)

If OpenVPN receives traffic on the tun adapter for those IPs, it doesn’t know which connected client should receive the packets and so it drops them.

You will also need iroutes for those networks in the client configuration directives for your client.

/etc/config/openvpn
iroute 123.123.123.123 255.255.255.255
iroute 234.234.234.234 255.255.255.255

NOTE: Restart OpenVPN and connect to it.

Testing

Check that you can ping one of the routes you’ve added. 

ping 123.123.123.123

NOTE: If the ping works:

  • This tells you that packets are hitting your server (which could be the router), being redirected into OpenVPN.
  • OpenVPN is passing them down the tunnel and they’re breaking out at the tun interface on your client.
    • If you don’t see the packets landing on the tun interface:
      • Check your firewall log on the client and make sure your firewall rules are fine.
      • Check the logs on your server (router).

If the ping fails:

  • Check that the traffic is actually getting routed.
  • Examine the routing table on the server (which could be the router) and see if the route is listed.
    • Assuming it is, on your client end, run the following: 
      tcpdump -i tun0
  • If packets are being dropped, examine /tmp/openvpn.status and make sure that the route is listed in the OpenVPN routing table.