[Openvpn-users] Re: tunnel between LAN and external gateway-interface

[martin <ed...@pm...>]

> did I get you right?
> 
> this is your setup:
> lan 1 -- openvpn-server1 -- INTERNET -- openvpn server2 / mailserver -- lan 2

exactly

> and you want to access the mailserver on the openvpn server 2 from lan 1 over 
> it's public ip?
> 
> then you must only add the correct route-entries on your openvpn-server1 (and 
> maybe firewall forward rules). The trick is to use "source-based" routing, 
> because you cannot simply add a normal static route on your openvpn server1 
> over the tunnel interface to the public ip of the servers2. This would end 
> with a broken setup for your whole openvpn connection and communication with 
> the server2, because then you couldn't send the encrypted data (or any other 
> data) over the internet to even this public ip adress of the server2, because 
> you routed this traffic over the tunnel interface :)
>
> For a simple source-based routing soultion, here a short howto :)
> 
> I don't know your public or private ip networks, so I use this, you can change 
> them for your needs:
> 
> lan1 = 10.0.0.0/24
> public ip openvpn server2 = 1.2.3.4
> tunnel interface = tun0
> 
> you need the following steps to configure the source-based routing:
> 1) install the "iproute2" package for your distribution.
> 2) edit "/etc/iproute2/rt_table"
>    add the following line to the end:
>    200       lan2mailserver
> 3) type in the following commands:
> # ip rule add from 10.0.0.0/24 lookup lan2mailserver
> # ip route add 1.2.3.4 via tun0 table lan2mailserver
> # ip route flush cache
> 4) try if it works... a traceroute from the lan1 to the public ip of the 
> mailserver/openvpn server2 should do the trick. if not, see if you have to 
> needed iptables forward rules. Even look on the openvpn server2 if there is a 
> firewall rule or something like that could block the traffic.


i did it like you described but got an error at this point
(i used my real adresses of course):
# ip route add 1.2.3.4 via tun0 table lan2mailserver 
Error: an inet address is expected rather than "tun0"

so i tried to do it with the ip-adress of the tun-interface (instead of tun0):
# ip route add 1.2.3.4 via 10.1.0.2 table lan2mailserver

and another time with the dev tun0 option (instead of via ...):
# ip route add 1.2.3.4 dev tun0 table lan2mailserver

both methods didnt work. the rule is saved correctly. but a traceroute shows 
me he is not using the tunnel. when i look up all ip routes:
# ip route 
there is no entry with the specific ip route. i guess thats why it doesnt work. 
i dont even know if the route is saved correctly or where it is saved to look 
it up and check if it is right.

fyi, i'm working with a 2.4.25 kernel, the iproute2-ss010824 debian-version 
and openvpn 1.6.0 i386-pc-linux-gnu. 


tia

martin