Note: This post isn’t complete. I have this configuration working for myself, but the IPTables rules are taken from a very big script and may not be complete. Email me if you have a question or if you can explain this better. Anyway hopefully there is enough here to get you started.
OpenVPN provides two basic modes for remote client connections:
- Routing mode OpenVPN serves remote clients a different subnet of IP addresses.
- Bridging mode means that connecting clients get an IP address from the same range as the inside interface of the gateway box.
However in my experience configuring your firewall box with bridging can break other VPN solutions (IPSec). So you can, with a little IPTables magic make your routed OpenVPN remote clients appear as if they are on the same network as the internal clients even though they aren’t. So you get an OpenVPN setup in routing mode acting like it’s in bridge mode.
- The remote client is connecting to OpenVPN and is given an IP address
- The route to the internal LAN in server.conf is pushed to the client via the ‘push “route 10.2.0.0 255.255.255.0″‘ command.
- The remote client sends traffic down the OpenVPN tunnel and the traffic is routed toward the internal LAN
- just before remote client traffic exits eth0 IPTables re-writes the source address to the internal interface address so internal clients think the remote client is a local address.
- IPTables keeps track of the rewritten traffic and will rewrite it as needed on the return trip
Why would you want to do the above?
You want to tack an OpenVPN network onto your existing network but not tell all the subnets in your existing network about the tacked on OpenVPN subnet.