So I have 3 OpenVPN Access Servers, and downloaded the config for all 3 of them. Then on my raspberry I ran 3 instances of openvpn (even with a different subnet configured in the Access Servers) with each of the config files.
My goal is to be able to route incoming traffic to individual devices, e.g. IP_of_Access_Server_1 leads to Client_1 in my network, IP_of_Access_Server_2 leads to Client_2 etc. That's why I have individual instances. For the rest I have 3 entries in my iptables:
sudo iptables -t nat -A PREROUTING -p tcp -d 172.27.232.0/20 --dport 44000 -j DNAT --to-destination 192.168.4.3:44000
sudo iptables -t nat -A PREROUTING -p tcp -d 172.27.248.0/20 --dport 44000 -j DNAT --to-destination 192.168.4.4:44000
sudo iptables -t nat -A PREROUTING -p tcp -d 172.27.200.0/20 --dport 44000 -j DNAT --to-destination 192.168.4.16:44000
The instances seem to start fine, but only 1 instance is really active, so e.g. I can only open the service on Client_1, the others will time out. And it's always the last instance I start, that works.
So, my guess here is, that the route entries get overwritten by the LZ0 commands that the Access Server pushes on start, to something that makes the other 2 not work anymore.
Here is the output of route, when only Device_2 over Access Server 2 is reachable:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.27.248.1 128.0.0.0 UG 0 0 0 tun1
default fritz.box 0.0.0.0 UG 202 0 0 eth0
46.101.139.3 fritz.box 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 172.27.248.1 128.0.0.0 UG 0 0 0 tun1
159.65.121.31 fritz.box 255.255.255.255 UGH 0 0 0 eth0
159.89.109.12 fritz.box 255.255.255.255 UGH 0 0 0 eth0
172.27.200.0 0.0.0.0 255.255.248.0 U 0 0 0 tun2
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
172.27.248.0 0.0.0.0 255.255.248.0 U 0 0 0 tun1
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
192.168.4.0 0.0.0.0 255.255.255.0 U 303 0 0 wlan0
For clarification (changed to random IPs for anonymization):
46.101.139.3 - Access Server 1
159.65.121.31 - Access Server 2
159.89.109.12 - Access Server 3
Now, when I start the service for tun0 after that, it looks like this, and Device_1 is the only reachable one (over Access Server 1), the others time out:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
default fritz.box 0.0.0.0 UG 202 0 0 eth0
46.101.139.3 fritz.box 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
159.65.121.31 fritz.box 255.255.255.255 UGH 0 0 0 eth0
159.89.109.12 fritz.box 255.255.255.255 UGH 0 0 0 eth0
172.27.200.0 0.0.0.0 255.255.248.0 U 0 0 0 tun2
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
172.27.248.0 0.0.0.0 255.255.248.0 U 0 0 0 tun1
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
192.168.4.0 0.0.0.0 255.255.255.0 U 303 0 0 wlan0
For more clarification the ifconfig (shortened) of my tun interfaces and wlan (clients have the IPs seen in the iptables entries):
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.27.232.4 netmask 255.255.248.0 destination 172.27.232.4
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.27.248.5 netmask 255.255.248.0 destination 172.27.248.5
tun2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.27.200.3 netmask 255.255.248.0 destination 172.27.200.3
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.4.1 netmask 255.255.255.0 broadcast 192.168.4.255
Sadly my networking skills are not good enough to figure this out (I tried adding some routes manually, tried messing with iptables, but got nowhere) - and I would really appreciate it if anyone could help me out with this.
