Chain two OpenVPNs together

[shibumi]

Hi @jfelten,

do you know if its possible to chain two OpenVPN Servers together in Kubernetes? What we are trying to achieve is that a client A from OpenVPN Server X can connect to all clients from OpenServer Y.

[jfelten]

Generally speaking yes - it's a matter of exposing server Y so that a client on the open server X network can reach it. The implementation depends on your specific environment and what you want to accomplish. If you control the network best would be to create a permanent PTP tunnel between the 2 server node networks, but if you don't you will need an IP on server Y that exposes an openvpn port reachable from server X.

[shibumi]

What I actually want to do is some sort of "Maintenance" VPN for the Client VPN. The goal is that an administrator can login into the Maintenance VPN and then have access to the clients in the client VPN. My current setup works so far, but I get weird openvpn errors (the connection is restarting every 1-2min.

I am running an OpenVPN Server deployed via Helm Chart (this is running the maintenance VPN for the maintenance clients).
Then I am starting a second openvpn connection as client to the client VPN via:

openvpn --config 10.54.0.4.ovpn --route-nopull --route-noexec

My Maintenance OpenVPN is 10.52.0.0/22 my client VPN is 10.54.0.0/22.
The Maintenance OpenVPN Server gets the IP 10.54.0.4 and routing seems to work as well for the clients in the maintenance network. I can reach a client with address 10.54.0.2 from my client 10.52.0.2, but the connection gets resetted every couple of minutes. Do you have any idea?

These are our deployed IP rules:

  iptablesExtra:
   - -A INPUT -i tun0 -j ACCEPT
   - -A INPUT -i tun1 -j ACCEPT
   - -A FORWARD -i tun1 -o tun0 -j ACCEPT
   - -A FORWARD -i tun0 -o tun1 -j ACCEPT
   - -A FORWARD -i tun1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
   - -A FORWARD -i tun0 -o tun1 -m state --state RELATED,ESTABLISHED -j ACCEPT
   - -t nat -A POSTROUTING -o tun0 -j MASQUERADE
   - -t nat -A POSTROUTING -o tun1 -j MASQUERADE
   - -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
   - -A FORWARD -m conntrack --ctstate NEW -d 10.52.0.0/255.255.252.0 -j ACCEPT
   - -A FORWARD -m conntrack --ctstate NEW -d 10.54.0.0/255.255.252.0 -j ACCEPT
   - -A FORWARD -m conntrack --ctstate NEW -d 10.43.0.0/255.255.0.0 -j ACCEPT
   - -A FORWARD -m conntrack --ctstate NEW -d 10.42.0.0/255.255.0.0 -j ACCEPT
   - -A FORWARD -m conntrack --ctstate NEW -d 10.101.0.0/255.255.255.0 -j ACCEPT
   - -A FORWARD -j REJECT

Here are some logs:

bash-4.3# openvpn --config 10.54.0.4.ovpn --route-nopull --route-noexec
Fri Oct  9 09:03:57 2020 OpenVPN 2.3.14 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 18 2016
Fri Oct  9 09:03:57 2020 library versions: LibreSSL 2.4.4, LZO 2.09
Fri Oct  9 09:03:57 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Oct  9 09:03:57 2020 Attempting to establish TCP connection with [AF_INET]10.43.175.138:443 [nonblock]
Fri Oct  9 09:03:58 2020 TCP connection established with [AF_INET]10.43.175.138:443
Fri Oct  9 09:03:58 2020 TCPv4_CLIENT link local: [undef]
Fri Oct  9 09:03:58 2020 TCPv4_CLIENT link remote: [AF_INET]10.43.175.138:443
Fri Oct  9 09:03:58 2020 WARNING: 'keydir' is present in remote config but missing in local config, remote='keydir 0'
Fri Oct  9 09:03:58 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Oct  9 09:03:58 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Oct  9 09:03:58 2020 [server] Peer Connection Initiated with [AF_INET]10.43.175.138:443
Fri Oct  9 09:04:00 2020 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct  9 09:04:00 2020 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct  9 09:04:00 2020 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct  9 09:04:00 2020 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct  9 09:04:00 2020 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct  9 09:04:00 2020 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct  9 09:04:00 2020 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct  9 09:04:00 2020 TUN/TAP device tun1 opened
Fri Oct  9 09:04:00 2020 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Oct  9 09:04:00 2020 /sbin/ip link set dev tun1 up mtu 1500
Fri Oct  9 09:04:00 2020 /sbin/ip addr add dev tun1 10.54.0.4/22 broadcast 10.54.3.255
Fri Oct  9 09:04:00 2020 Initialization Sequence Completed
Fri Oct  9 09:04:11 2020 Connection reset, restarting [0]
Fri Oct  9 09:04:11 2020 /sbin/ip addr del dev tun1 10.54.0.4/22
Fri Oct  9 09:04:11 2020 SIGUSR1[soft,connection-reset] received, process restarting
Fri Oct  9 09:04:16 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Oct  9 09:04:16 2020 Attempting to establish TCP connection with [AF_INET]10.43.175.138:443 [nonblock]

You can see that the connection between Maintenance OpenVPN Server and Client VPN Server gets resetted.. but I can't find any reason for this: Fri Oct 9 09:04:11 2020 Connection reset, restarting [0] Even when I start the client with --verb 11 and if I create a tcpdump I see no real reason for it.