Hi,
I am trying to configured VPN between a OpenVPN Server (running on Ubuntu) and VyOS. VyOS is configured as client. VyOS is gateway of multiple virtual servers. Setup is like this
OpenVPN Server (Running on Ubunru, port TCP/443) ---> Vyos as Client (version 1.4) --> Multiple client PCs with VyOS as gateway
VyOS has two interfaces (and one OpenVPN tun), NAT has been configured for client PCs so that they can browse internet. This is working fine.
Servers (172.16.0.0/24) <--------->OpenVPN Server<-------->VyOS <----------> Clients PCs (150.1.7.0/24)
I am able to configured tunnel and it is up. Communication is up and running between OpenServer and VyOS but none of the PCs is reachable from server or vice versa. VyOS config is given below
firewall {
group {
network-group PRI-NW {
network 172.16.0.0/12
network 10.0.0.0/8
network 192.168.0.0/16
}
network-group VPN-NW {
network 10.8.0.0/24
network 172.16.0.0/24
}
}
name INTERNET-ACCESS {
default-action drop
rule 5 {
action accept
destination {
group {
network-group VPN-NW
}
}
protocol all
}
rule 10 {
action drop
destination {
group {
network-group PRI-NW
}
}
protocol all
}
rule 20 {
action accept
destination {
address 0.0.0.0/0
}
protocol all
}
}
}
interfaces {
ethernet eth0 {
address 150.1.7.1/24
description "Lab MGMT GW"
firewall {
in {
name INTERNET-ACCESS
}
}
hw-id 00:50:56:82:de:ad
ip {
}
}
ethernet eth1 {
address 192.168.254.222/24
description "Inside interface"
hw-id 00:50:56:82:f9:12
}
loopback lo {
}
openvpn vtun00 {
encryption {
cipher aes128gcm
}
firewall {
in {
}
}
hash sha256
mode client
openvpn-option "--remote-cert-tls server"
openvpn-option --persist-key
openvpn-option "--verify-x509-name server_fHg9igysutWRHS3b name"
openvpn-option "--tls-version-min 1.2"
openvpn-option "--user nobody"
openvpn-option "--dev tun"
openvpn-option --nobind
persistent-tunnel
protocol tcp-active
remote-host vpn00.ddns.net
remote-port 443
tls {
ca-certificate VPN00-CA-CERT
certificate VPN00-CERT
crypt-key ****************
tls-version-min 1.2
}
}
}
nat {
source {
rule 100 {
destination {
address !172.16.0.0/24
}
outbound-interface eth1
source {
address 150.1.7.0/24
}
translation {
address masquerade
}
}
}
}
pki {
ca VPN00-CA-CERT {
certificate #######
certificate VPN00-CERT {
certificate #######
private {
key ****************
}
}
openvpn {
shared-secret VPN00-SECRET {
key ****************
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.254.10 {
}
}
route 172.16.0.0/24 {
interface tun0 {
vrf default
}
}
}
}
service {
ssh {
ciphers aes256-cbc
ciphers aes256-ctr
listen-address 192.168.254.222
listen-address 10.8.0.2
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
domain-name netlab.lan
host-name LAB-GW
login {
user labadmin {
authentication {
encrypted-password ****************
}
full-name "Lab Admin"
}
}
name-server 150.1.7.200
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
I hope I am clear enough here. Looking forward for awesome community support.
Regards,