0

Situation:
I have a server and a client connected to an OpenVPN network. Both are assigned virtual IP addresses - 10.10.1.6 for the server and 10.10.1.14 for the client. Server starts listening on port 8090. Client connects the server and binds on port 4444. From a servers point of view I would expect source IP and source port to be 10.10.1.14:4444, however it is 10.10.1.1:4444.

Bigger picture:
There is an IOT device (RPi3) and a server connected to a VPN. Server needs to be able to address the IOT devices (that's a given), therefore IOT devices periodically "ping" the server so that it can keep track of their addresses (something similar to lwm2m registration mechanism).

Additional info: 

pi@raspberrypi:~/ $ ip addr
...
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.10.1.14 peer 10.10.1.13/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 ... /64 scope link flags 800 
       valid_lft forever preferred_lft forever

>>> ip addr # server
...
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.10.1.6 peer 10.10.1.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 ... /64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Testing the source address

pi@raspberrypi:~/ $ echo "hello" | ncat -p 4444 10.10.1.6 8090
-----------------------------------------------------------------------
>>> ncat -vvv -l -p 8090    # server
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::8090
Ncat: Listening on 0.0.0.0:8090
...
Ncat: Connection from 10.10.1.1.
...
Ncat: Connection from 10.10.1.1:4444.
...
hello
...

I Have the same OpenVPN configuration as in https://www.howtoforge.com/tutorial/how-to-install-openvpn-server-and-client-with-easy-rsa-3-on-centos-7/ Step 4 - Configure OpenVPN

That being said, How do I "force" OpenVPN to pass me the "real" virtual source addresses? I am a beginner, so bear with me please.

Edit:
I tried the ncat test with both, client and listener running on the same machine, thus having the same virtual IP address and everything worked fine.

Pruzo
  • 1
  • 1
  • You're assuming this is default mode of operation -- but it is not. The real question should be "How do I find out why my OpenVPN server is overwriting the source address?" – u1686_grawity Aug 31 '19 at 12:05
  • It turned out that this indeed is default mode of operation – Pruzo Sep 04 '19 at 12:35

1 Answers1

0

The 10.10.1.1 address is a GW routing the traffic between 10.10.1.6 and 10.10.1.14. OpenVPN clients can not see each other by default.

Adding client-to-client to /etc/openvpn/server.conf solved the problem.

See archwiki and this answer. Another solution is the "bridging" option described here.

Pruzo
  • 1
  • 1