Possible to link separate private networks over vpn?
I know that openvpn is working. From a third computer I can connect to it and communicate with the external private network, plus I can comunicate with the linode running the openvpn client.
What I can not seem to get to work is communicate with two other linodes. Is this due to ip filtering on the back-end network? Is there any way around it? Or do I need to make each linode a client on the vpn? I would really like to have only one linode with its public ip address open to the vpn, and the other two use the back-end network to talk to the first one and use its openvpn link to talk to servers on the second private network.
Hope this is clear, let me know what other information may be helpful(iptables rules, routes, openvpn configuration).
7 Replies
Is it possible to use one linode as the vpn client and let the second linode route through the first linode, to communicate with the servers behind the openvpn server? Or does the private backend network filter out that type of traffic?
It's like trying to describe specific colors without using any realworld examples.
I'm guessing that you have routing messed up, routing can get pretty messy in situations like this. Or maybe iptables is dropping something.
Tcpdump will tell you what's actually happening.
Private IP: 192.168.133.?/17
Linode B:
Public IP: ?
Private IP: 192.168.173.?/17
VPN IP: 10.8.0.14
Server C:
Private IP: 192.168.100.8
OpenVpn Client D:
VPN IP: 10.8.0.26
OpenVPN Server E:
Private IP: 192.168.100.1
Public IP: ?
VPN IP: 10.8.0.2
B–A
|
E--C
|
D
The above diagram did not show up correctly when posted. I have edited it, in hopes of clarifying it.
The VPN works fine for B, D, and C. They all communicate with either other very well.
And B and A communicate fine over the private network just fine also.
Neither D, C, nor E can ping A.
TcpDump shows this, when run on B(the linode acting as an openvpn client), and when pinging from Server C.
tcpdump -i eth0 dst 192.168.133.?
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:06:41.916006 IP 192.168.100.8 > 192.168.133.?: ICMP echo request, id 28644, seq 5, length 64
09:06:42.916257 IP 192.168.100.8 > 192.168.133.?: ICMP echo request, id 28644, seq 6, length 64
I get the ICMP packet leaving the linode, but no response from the second linode. And on the second linode, Linode A(which is communicating over its private IP), tcpdump does not see any icmp packet coming in.
tcpdump -i eth0 dst 192.168.133.?
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Other traffic, between A and B, shows up in tcpdump, but nothing coming from the VPN.
Anyway, hope this helps.
I think it would be much simpler if you just make everyone connect to the VPN server. Then they can all see each other via their VPN IPs with no special forwarding or routing required. I can't really see a downside - why don't you want to go this route (forgive the pun)?
many VMs <-----> openvpn server <-----> my home router <-----> my home lan
10.0.0.0/24 10.0.0.1 (lan) 10.0.2.1 (lan) 10.0.2.0/24
10.0.1.1 (vpn) 10.0.1.2 (vpn)
|
+-------------> parents' home router <---> parents' lan
10.0.3.1 (lan) 10.0.3.0/24
10.0.1.3 (vpn)
In this chart, the three routers (openvpn server, my home router, parents home router), maintain static routes to the networks which are not local to them. On the server, I have to hardcode these routes in my network config, but for the two clients, I can push these routes down via OpenVPN. This allows all traffic bound for each network to traverse the OpenVPN pipe in between.
Making each linode an openvpn client is what I will go with.
Thanks everybody for your time and feedback.