Hello, I have an OpenVPN server that users connect to directly. Now I want to set up another OpenVPN server and place it between the users and the main server:
Client(s) ---> Intermediate OpenVPN Server (172.20.2.53) ---> Final OpenVPN Server (172.20.2.54) To do this, the intermediate server must play the role of a client for the main server and the role of a server for the clients. First I created Certificates for the intermediate server. I ran the following commands on the final server: # cd /etc/openvpn/easy-rsa/ # ./easyrsa gen-req intermediate-server nopass # ./easyrsa sign-req client intermediate-server nopass # ./easyrsa gen-req intermediate-server-int nopass # ./easyrsa sign-req server intermediate-server-int nopass # scp /etc/openvpn/easy-rsa/pki/ca.crt [email protected]:/etc/openvpn/ # scp /etc/openvpn/easy-rsa/pki/issued/intermediate-server.crt [email protected]:/etc/openvpn/ # scp /etc/openvpn/easy-rsa/pki/private/intermediate-server.key [email protected]:/etc/openvpn/ # scp /etc/openvpn/ta.key [email protected]:/etc/openvpn/ # scp /etc/openvpn/easy-rsa/pki/issued/intermediate-server-int.crt [email protected]:/etc/openvpn/server-int.crt # scp /etc/openvpn/easy-rsa/pki/private/intermediate-server-int.key [email protected]:/etc/openvpn/server-int.key I created the configuration files on the Intermediate server: # nano /etc/openvpn/client/client-final.conf client dev tun1 proto udp remote 172.20.2.54 2024 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/intermediate-server.crt key /etc/openvpn/intermediate-server.key tls-crypt /etc/openvpn/ta.key remote-cert-tls server auth-nocache # CRITICAL: Prevents server from changing your default route route-nopull # Manual route to Final Server's internal network route 10.10.0.0 255.255.255.0 user nobody group nogroup verb 3 daemon # nano /etc/openvpn/server/server-int.conf port 2025 proto udp dev tun2 ca /etc/openvpn/ca.crt cert /etc/openvpn/intermediate-server-int.crt key /etc/openvpn/intermediate-server-int.key dh /etc/openvpn/dh.pem server 20.20.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.10.0.1" push "route 10.10.0.1 255.255.255.255" push "block-outside-dns" topology subnet keepalive 10 120 tls-crypt /etc/openvpn/ta.key cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status /var/log/openvpn/int-status.log log /var/log/openvpn/openvpn-int.log verb 3 explicit-exit-notify 1 The iptables rules are as follows: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow loopback -A INPUT -i lo -j ACCEPT # Allow established and related connections -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow SSH -A INPUT -p tcp --dport 22 -j ACCEPT # Allow ICMP (ping) -A INPUT -p icmp -j ACCEPT # Allow OpenVPN server port -A INPUT -p udp --dport 2025 -j ACCEPT # Allow all traffic on VPN interfaces -A INPUT -i tun+ -j ACCEPT # Forward chain - CRITICAL for routing between VPN interfaces -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i tun2 -o tun1 -s 20.20.0.0/24 -j ACCEPT -A FORWARD -i tun1 -o tun2 -d 20.20.0.0/24 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # NAT for client traffic going to final server -A POSTROUTING -s 20.20.0.0/24 -o tun1 -j MASQUERADE # NAT for client traffic going to internet (if needed) -A POSTROUTING -s 20.20.0.0/24 -o enX0 -j MASQUERADE COMMIT Finally: # echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf # sysctl -p # cd /etc/openvpn # openssl dhparam -out dh.pem 2048 # systemctl start openvpn-client@client-final # systemctl start openvpn-server@server-int # ip link show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 56:e0:23:e2:27:08 brd ff:ff:ff:ff:ff:ff altname enx56e023e22708 7: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 500 link/none 8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 500 link/none What is wrong? After it, my Intermediate server must have access to the Internet from the Final server but... Thank you. _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
