To push routes from the server to a client.
The machine that is going to function as the egress point to the Internet has to be configured to allow IPv4 forwarding.
In /etc/sysctl.conf, set net.ipv4.ip_forward to 1.
net.ipv4.ip_forward=1
This allows packets intended to be forwarded from the internal network to the Internet to be re-tagged with the egress point external IP address.
The following firewall rules are needed:
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -A FORWARD -j LOG iptables -A FORWARD -j DROP
NOTE:
The OpenVPN Server needs to be told what routes should be directed into the tun adapter.
In /etc/config/openvpn, add the following;
list route '123.123.123.123 255.255.255.255' list route '234.234.234.234 255.255.255.255'
NOTE: When OpenVPN is restarted, it will automatically put the correct entries in your router’s routing table to direct traffic to those IPs out your tun adapter.
If OpenVPN receives traffic on the tun adapter for those IPs, it doesn’t know which connected client should receive the packets and so it drops them.
You will also need iroutes for those networks in the client configuration directives for your client.
iroute 123.123.123.123 255.255.255.255 iroute 234.234.234.234 255.255.255.255
NOTE: Restart OpenVPN and connect to it.
Check that you can ping one of the routes you’ve added.
ping 123.123.123.123
NOTE: If the ping works:
If the ping fails:
tcpdump -i tun0