Servidor Openvpn para atuar como cliente: Conecte-se aos clientes do IP do servidor

A solução foi:

De alguma forma, havia a seguinte regra de firewall direcionando o servidor para a LAN real, em vez da VPN, para alcançar os clientes da VPN que precisavam ser excluídos:

iptables do servidor -t nat -L -n -v - numeros da linha:

Chain PREROUTING (policy ACCEPT 249K packets, 44M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 247K packets, 44M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3954 packets, 273K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3890 packets, 269K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      208 15001 SNAT       all  --  *      *       10.8.0.0/24          0.0.0.0/0            to:[REDACTED SERVER_REAL_IP]

No servidor: iptables -t nat -D POSTROUTING 1

Et voilà! Tudo funciona ...

Para torná-lo permanente, exclua / comente a linha correspondente em /etc/rc.local .

Obrigado a todos pela sua ajuda!

Veja um exemplo de uma configuração SSL / TLS client-to-client mínima que funciona para a seguinte configuração de rede:

+------------------+            |                                                                 
|                  |            |                                                                 
|                  | 10.132.0.2 |                                                                 
|    Client 1      -------------|                                                                 
|                  |            |                                             +------------------+
|                  |            |                                             |                  |
+------------------+            |104.199.78.27                 130.211.80.223 |                  |
                             /- --------------  The Internet   ---------------|    Client 2      |
                           /-   |                                             |                  |
+------------------+     /-     |                                             |                  |
|                  |   /-       |                                             +------------------+
|                  | /-         |                                                                 
|  OpenVPN server  --------------                                                                 
|                  | 10.132.0.3 |                                                                 
|                  |            |                                                                 
+------------------+            |     

104.199.78.27 é NATted para o 10.132.0.3 interno do servidor OpenVPN. A rede 10.8.0.0/24 será usada para todos os clientes VPN.

Aqui está a configuração do servidor OpenVPN:

tls-server
proto tcp
port 443
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-to-client

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20 

Aqui está a configuração do client1:

client
dev tun
proto tcp-client
remote 10.132.0.3 443
resolv-retry infinite

ca ca.crt
cert client1.crt
key client1.key

nobind
persist-key
persist-tun
comp-lzo

status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20      

Aqui está a configuração do client2:

client
dev tun
proto tcp-client
remote 104.199.78.27 443
resolv-retry infinite

ca ca.crt
cert client2.crt
key client2.key

nobind
persist-key
persist-tun
comp-lzo

status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20

Quando tudo está em funcionamento, obtemos a seguinte configuração de IP e roteamento:

server% ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:3971 (3.8 KiB)  TX bytes:3051 (2.9 KiB)

server% ip route show to match 10.8.0.0/24
default via 10.132.0.1 dev eth0 
10.8.0.0/24 via 10.8.0.2 dev tun0     

client1% ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:252 (252.0 B)  TX bytes:252 (252.0 B)

client1% ip route show to match 10.8.0.1
default via 10.132.0.1 dev eth0 
10.8.0.0/24 via 10.8.0.5 dev tun0 

client2% ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.10  P-t-P:10.8.0.9  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:420 (420.0 B)  TX bytes:420 (420.0 B)

client2% ip route show to match 10.8.0.1
default via 10.132.0.1 dev eth0 
10.8.0.0/24 via 10.8.0.9 dev tun0

E, assim, temos conectividade de cliente para cliente:

server% ping -c 1 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=1.45 ms

--- 10.8.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.456/1.456/1.456/0.000 ms
root@server:/etc/openvpn# ping -c 1 10.8.0.10
PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data.
64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=0.779 ms

--- 10.8.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.779/0.779/0.779/0.000 ms

client1% ping -c 1 10.8.0.10
PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data.
64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=1.39 ms

--- 10.8.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.392/1.392/1.392/0.000 ms
root@client1:/etc/openvpn# ping -c 1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.54 ms

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.540/1.540/1.540/0.000 ms

client2% ping -c 1 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=1.12 ms

--- 10.8.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.124/1.124/1.124/0.000 ms
root@client2:/etc/openvpn# ping -c 1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.584 ms

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.584/0.584/0.584/0.000 ms