I have a small network of linodes, within the same data center and all with their private ip addresses enabled. So I can communicate between these linodes using the private back-end network. Additionally, I have a separate private network located elsewhere. I am trying to get openvpn working to link the two networks, instead of treating each linode server as its own client on the vpn.

I know that openvpn is working. From a third computer I can connect to it and communicate with the external private network, plus I can comunicate with the linode running the openvpn client.

What I can not seem to get to work is communicate with two other linodes. Is this due to ip filtering on the back-end network? Is there any way around it? Or do I need to make each linode a client on the vpn? I would really like to have only one linode with its public ip address open to the vpn, and the other two use the back-end network to talk to the first one and use its openvpn link to talk to servers on the second private network.

Hope this is clear, let me know what other information may be helpful(iptables rules, routes, openvpn configuration).

Given two linodes in the same datacenter, and which can communicate with each other over the private backend network. I have a third server, running openvpn, separate from and external to the linodes.

Is it possible to use one linode as the vpn client and let the second linode route through the first linode, to communicate with the servers behind the openvpn server? Or does the private backend network filter out that type of traffic?

I love when people ask network questions with nary an IP or network diagram in the post.

It's like trying to describe specific colors without using any realworld examples.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

It's possible, or at least it should be. I've not actually done this.

I'm guessing that you have routing messed up, routing can get pretty messy in situations like this. Or maybe iptables is dropping something.

Tcpdump will tell you what's actually happening.

Linode A:
Private IP: 192.168.133.?/17

Linode B:
Public IP: ?
Private IP: 192.168.173.?/17
VPN IP: 10.8.0.14

Server C:
Private IP: 192.168.100.8

OpenVpn Client D:
VPN IP: 10.8.0.26

OpenVPN Server E:
Private IP: 192.168.100.1
Public IP: ?
VPN IP: 10.8.0.2


B--A
|
E--C
|
D

The above diagram did not show up correctly when posted. I have edited it, in hopes of clarifying it.


The VPN works fine for B, D, and C. They all communicate with either other very well.
And B and A communicate fine over the private network just fine also.
Neither D, C, nor E can ping A.

TcpDump shows this, when run on B(the linode acting as an openvpn client), and when pinging from Server C.

# tcpdump -i eth0 dst 192.168.133.?
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:06:41.916006 IP 192.168.100.8 > 192.168.133.?: ICMP echo request, id 28644, seq 5, length 64
09:06:42.916257 IP 192.168.100.8 > 192.168.133.?: ICMP echo request, id 28644, seq 6, length 64

I get the ICMP packet leaving the linode, but no response from the second linode. And on the second linode, Linode A(which is communicating over its private IP), tcpdump does not see any icmp packet coming in.

# tcpdump -i eth0 dst 192.168.133.?
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

Other traffic, between A and B, shows up in tcpdump, but nothing coming from the VPN.

Anyway, hope this helps.

You need a bunch of static routes in order to accomplish what you are trying to do. For example, on host A you need static routes through host B to both the VPN range and the other private network range. I think every host in your diagram will need at least one static route to fully communicate with all the other hosts.

I think it would be much simpler if you just make everyone connect to the VPN server. Then they can all see each other via their VPN IPs with no special forwarding or routing required. I can't really see a downside - why don't you want to go this route (forgive the pun)?

I've actually accomplished a very similar setup using three private networks. The OpenVPN clients are my home router and my parents' home router. I can address my parents' LAN, and they can address mine. The simplified diagram looks like this:

many VMs <-----> openvpn server <-----> my home router <-----> my home lan
10.0.0.0/24      10.0.0.1 (lan)         10.0.2.1 (lan)         10.0.2.0/24
                 10.0.1.1 (vpn)         10.0.1.2 (vpn)
                        |
                        +-------------> parents' home router <---> parents' lan
                                        10.0.3.1 (lan)             10.0.3.0/24
                                        10.0.1.3 (vpn)

In this chart, the three routers (openvpn server, my home router, parents home router), maintain static routes to the networks which are not local to them. On the server, I have to hardcode these routes in my network config, but for the two clients, I can push these routes down via OpenVPN. This allows all traffic bound for each network to traverse the OpenVPN pipe in between.

Something about having each linode as a vpn client seemed to be like making a hydra. But That does eliminate all the backend filtering and extra routing issues. From checking with tcpdump, I am fairly certain that the backend network is filtering out the traffic. I would expect tcpdump to report the incoming icmp packet even if the server did not know how to route it back; and since I can trace the packet to the linode acting as the openvpn client and lose it as soon as it has to go onto the private network.

Making each linode an openvpn client is what I will go with.

Thanks everybody for your time and feedback.