====== OpenVPN - Routing from Server to Client ======
To push routes from the server to a client.
----
===== Allow Port Forwarding =====
The machine that is going to function as the egress point to the Internet has to be configured to allow IPv4 forwarding.
In **/etc/sysctl.conf**, set **net.ipv4.ip_forward** to 1.
net.ipv4.ip_forward=1
----
===== Allow Masquerading =====
This allows packets intended to be forwarded from the internal network to the Internet to be re-tagged with the egress point external IP address.
The following firewall rules are needed:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG
iptables -A FORWARD -j DROP
**NOTE:**
* **eth0** is the egress interface.
* **tun0** is the internal interface.
* The first rule causes traffic outbound on the egress interface to be masqueraded (NAT).
* The second rule causes inbound traffic going from the egress interface to the internal interface to be accepted if it’s part of an established or related connection (i.e, packets coming back).
* The third rule causes packets destined to be forwarded from the internal interface to the egress interface to be accepted.
* The last two rules log anything else and drop them.
----
===== OpenVPN Server Configuration =====
The OpenVPN Server needs to be told what routes should be directed into the tun adapter.
In /etc/config/openvpn, add the following;
list route '123.123.123.123 255.255.255.255'
list route '234.234.234.234 255.255.255.255'
**NOTE:** When OpenVPN is restarted, it will automatically put the correct entries in your router’s routing table to direct traffic to those IPs out your tun adapter.
----
===== OpenVPN Client Configuration (on server) =====
If OpenVPN receives traffic on the tun adapter for those IPs, it doesn’t know which connected client should receive the packets and so it drops them.
You will also need **iroutes** for those networks in the client configuration directives for your client.
iroute 123.123.123.123 255.255.255.255
iroute 234.234.234.234 255.255.255.255
**NOTE:** Restart OpenVPN and connect to it.
----
===== Testing =====
Check that you can ping one of the routes you’ve added.
ping 123.123.123.123
**NOTE:** If the ping works:
* This tells you that packets are hitting your server (which could be the router), being redirected into OpenVPN.
* OpenVPN is passing them down the tunnel and they’re breaking out at the tun interface on your client.
* If you don’t see the packets landing on the tun interface:
* Check your firewall log on the client and make sure your firewall rules are fine.
* Check the logs on your server (router).
If the ping fails:
* Check that the traffic is actually getting routed.
* Examine the routing table on the server (which could be the router) and see if the route is listed.
* Assuming it is, on your client end, run the following:
tcpdump -i tun0
* If packets are being dropped, examine **/tmp/openvpn.status** and make sure that the route is listed in the OpenVPN routing table.