1

I am running a VLAN applied to a number of servers on Linode. The IPs assigned are 10.0.16.n/24 and are accessed via an OpenVPN server also on the same range.

I have connected to the VPN box from my local laptop and can ping and connect to 2 servers on the network but no more. I don't have OpenVPN paid licenses but don't believe thats relevant??

I have checked netstat -tulpn | grep :22 on one of the failing servers and see

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 728/sshd: /usr/sbin

I have a firewall rule (on UFW) 22 ALLOW 10.0.0.0/16

I also can't ping the box - I've checked the UFW rules and they are the default ones. This box is Ubuntu 22 whereas the one I can connect locally too is 20 but apart from that nothing else stands out as being any different. I've turned the firewall fully off but still no success.

Interestingly, from the box I can connect to, I can also connect to the other boxes on the VLAN which I'm unable to do remotely. Which suggests its a problem with the OpenVPN setup but I followed the standard Linode tutorial and not sure what settings might be affecting it?

Under the OpenVPN Configuration for Should VPN clients have access to private subnets (non-public networks on the server side)? I'm using Yes - using Routing with Subnet 10.0.16.0/32

Improve this question

1 Answer 1

Reset to default
1
+50

VLAN's create isolated broadcast domains, unless openvpn interface has been tagged with the correct vlan tag, then traffic from openvpn will not be able to communicate with the machines on the vlan, even if they have the same subnet/range.

I would suggest on the openvpn server you enable ip forwarding for the openvpn interface, and the local interface outbound traffic will use.

run the following commands with sudo as in a root shell.

sysctl net.ipv4.conf.eth1.forwarding=1
sysctl net.ipv4.conf.tun0.forwarding=1

replace tun0 for the names of your openvpn tunnel interfaces if it is not tun0, it may be tap0 or similar. You will also need to run the command for any additional interfaces you want traffic to be forwarded on.

You can run sysctl net.ipv4.conf.all.forwarding=1 but this can create security issues, so please check with the relevant people, and do your checks before enabling. Sometimes, quick is not best.

once you confirmed this works, you can update /etc/sysctl.conf with:

net.ipv4.conf.eth1.forwarding=1
net.ipv4.conf.openvpn.forwarding=1

You will need to set the gateway for your pc to be the ip address of the openvpn endpoint. and then run:

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun+ -o as0t+ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i as0t+ -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

 iptables -t nat -A POSTROUTING -s 10.0.127.0/24 -o eth+ -j MASQUERADE
 iptables -t nat -A POSTROUTING -s 10.0.127.0/24 -o as0t+ -j MASQUERADE

This will nat any connections from your client, and use the servers local interface (that is able to access all the machines) to forward traffic to the other machines.

To avoid having to add these rules after each reboot, install iptables-persistent via apt. iptables-persistent will save your rules, and on each reboot, reapply the rules.

Using the extra info you provided with the subnets, instead of setting the default gateway on your pc, you can modify your openvpn config to push the routes to your pc. Add the following lines anywhere in your config file, I would recommend just below the line where you set the ip near the top of the file.

push "route 10.0.16.0 255.255.255.0"  #note this is /24 subnet, not 32 as you mentioned.  a /32 is a host address written in CIDR format. 
push "route 172.x.x.x 255.x.x.x"
push "route 172.x.x.x 255.x.x.x"
push "route 178.x.x.x 255.x.x.x"
push "route 192.168.x.x 255.255.x.x"

The option in linode "listen on all interfaces" controls what interfaces openvpn listens on for the inital connection. Once the vpn connection has been established, that option has 0 effect on the performance of the vpn.

Improve this answer
12
  • Hi Luke - appreciate this. Just to clarify my static IP is 10.0.127.0/24 so I think thats the "openvpn subnet"? The private subnets are 10.0.16.0/32. So I assume I replace your 10.1.16.0/24 with my 127 example. How can I detect which interfaces are which? Here are my current adaptors as listed by Ubuntu: IPv4 address for as0t0: 172.x IPv4 address for as0t1: 172.x IPv4 address for eth0: 178.x IPv4 address for eth0: 192.168.x IPv6 address for eth0: x IPv4 address for eth1: 10.0.16.1 My openvpn settings say "listen on all interfaces" without yes being turned on for specific
    – Antony
    Commented Nov 13, 2023 at 18:56
  • Morning Antony, I have just updated the answer using the extra details you provided, you did not include the name of the openvpn interface, I have assumed tun0, but it may be tap0. if you want to access the machines on as0t0 as0t1 you will need to enable forwarding on those interfaces as well. I have included the iptable rules for those interfaces as well.
    – Luke Attard
    Commented Nov 13, 2023 at 19:50
  • Further to my original post I re-discovered this link: linode.com/community/questions/22397/… which is how I originally setup the VPN (I had forgotten to repeat this step on my most recent new server). I have since been onto it though, run the same instructions and cannot successfully connect. I have upped this answer but think I'm still not quite on the right track.
    – Antony
    Commented Nov 14, 2023 at 9:19
  • I have also disabled the firewall on the latest machine and can't ping it either.
    – Antony
    Commented Nov 14, 2023 at 9:26
  • Antony, based on the link you posted, it suggest Openvpn is configured by linode servers not by Ubuntu. You would need to add the differnt subnets into the web interface, and also the User Management. If you are still unable to access the servers, can you please message me ping tests and traceroutes both from and to server a and server b to/from the vpn address 10.0.127.2, the output from ip routes from the servers.
    – Luke Attard
    Commented Nov 15, 2023 at 11:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .