The current setup is to allow only for a OpenVPN server in client-to-LAN setup.
See my other posting that is to make OpenMediaVault OpenVPN a client in a client-to-LAN setup.
This post is to explain what to do to route two private networks together in a LAN-to-LAN setup:
I have done this manually and the changes are not big so it should be quite easy to add to the plugin:
Before setting up this solution note that some configuration changes are also required on other devices. These requirements should be listed in the plugin help some place.
Example LAN 1 with OpemMediaVault OpenVPN server:
ADSL router: 192.168.0.1
OpenMediaVault: 192.168.0.20 (fixed address)
Example LAN 2 with OpemMediaVault OpenVPN server:
ADSL router: 192.168.100.254
OpenMediaVault: 192.168.100.200 (fixed address)
--- For the ADSL router/gateway on the OpenVPN 'server' network ---
1. Get a fixed IP address on the internet or setup a Dynamic DNS FQDN so that clients can find the server (this is true of the existing setup)
2. Port forward UDP port 1194 to the OpenMediaVault server or other port and protocol if this has been changed (this is true of the existing setup)
3. Add a static route to the router's table for the client's network (all traffic for 192.168.100.0/24 should go to our local OpenMediaVault 'server' 192.168.0.20)
--- For the ADSL router/gateway on the OpenVPN 'client' network ---
1. Add a static route to the router's table for the server's network (all traffic for 192.168.0.0/24 should go to our local OpenMediaVault 'client' 192.168.100.200)
If it is not possible to add a static route to the ADSL routers then this can be done on each other machine within the private networks that needs to speak to the other network although this can be tedious.
--- For the OpenVPN 'server' ---
1. Add the following options to the Extra settings as part of the OpenVPN General settings:
client-config-dir ccd
route 192.168.100.0 255.255.255.0
2. mkdir /etc/openvpn/ccd
3. Create a VPN user added to the vpnusers group called 'client' in my case
4. Create a VPN client certificate for the LAN-to-LAN client.
5. Create a file in the /etc/openvpn/ccd directory called 'client' with the following text:
iroute 192.168.100.0 255.255.255.0
All of this allows the OpenVPN server to know that when this client is connected all traffic to the whole 192.168.100.0 network should be sent over the link and not just to the machine connecting.
--- For the OpenVPN 'client' ---
Based on the OpenVPN client setup I have in the previous posting:
1. Extract OpenVPN client zip file content to /etc/openvpn directory
2. Add to the bottom of the client.conf file:
# Network setup scripts
script-security 2
up config.script
down config.script
3. Copy the existing /etc/openvpn/nat.sh script and call it config.script
4. Edit the config.script file:
- Change the 'ROUTE=$(omv_config_get "//services/openvpn/vpn-route")' line to 'ROUTE="192.168.100.0 / 255.255.255.0"'
- Delete the '$(iptables ${IPTBLARG} POSTROUTING -t nat -s ${!route_network}/${!route_netmask} ${DESTNET} -j MASQUERADE)' line.
5. update-rc.d openvpn enable
6. invoke-rc.d openvpn start
Provided the server configuration has not been done on the OpenMediaVault that is being run as a client then the omv.conf will not be present so enabling the openvpn service will just magically run as a client.
To also support a client sending a username/password as well as the certificate:
1. Turn this on in the OpenVPN server
2. Modify the 'auth-user-pass' line in the client.conf file to 'auth-user-pass client.login'
3. Create a client.login file in the /etc/openvpn directory along with all of the other files with content:
username
password
These changes run OpenVPN as a client on OpenMediaVault and also turn on IP forwarding and change the routing table so that the local network is accessible to the OpenVPN server network.
All of these changes could be made in the plugin by adding extra settings to OpenVPN server side to allow for the entry of a client network IP and subnet mask and the ZIP file with these changes would already contain everything required.