Find the answer to your Linux question:
Results 1 to 2 of 2
Dear All, I've been trying to configure my vpn for days now without any success. I'm using OpenVPN and followed the provided instructions to the letter. The vpn server has ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2012
    Posts
    2

    Configuring OpenVPN / IPTABLES / ROUTES


    Dear All,

    I've been trying to configure my vpn for days now without any success. I'm using OpenVPN and followed the provided instructions to the letter. The vpn server has the following characteristics:

    eth0 : public IP
    eth1 : 10.10.10.250
    tun0 : 10.8.0.1

    The server's eth1 connects to a LAN:
    LAN : 10.10.10.0/24

    My objective is to reach the LAN from the Internet when connected to the VPN. At this point I can do the following:

    - connect to the VPN
    - ping eth1 from the Internet when connected to the VPN
    - SSH into LAN from the vpn server (independent of VPN connectivity)

    I cannot :

    - ping or SSH into LAN from the Internet (when connected on the VPN). This is my objective.

    More information:

    - net.ipv4.ip_forward is on

    - output of netstat -r (with Flags, MSS, Window, irtt omitted)
    Destination----Gateway----Genmask-------Iface
    10.8.0.0-----------*-------255.255.255.0----tun0
    localnet------------*-------255.255.255.0----eth0
    10.10.0.0----------*--------255.255.0.0------eth1
    default---------"public ip"-----0.0.0.0--------eth0
    default-------10.10.10.250----0.0.0.0--------eth1

    - iptables
    *filter
    # Allow traffic initiated from VPN to access LAN
    -I FORWARD -i tun0 -o eth1 -s 10.8.0.0/24 -d 10.10.10.0/24 -m conntrack --ctstate NEW -j ACCEPT

    # Allow traffic initiated from VPN to access "the world"
    -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

    #Allow traffic initiated from LAN to access "the world"
    -I FORWARD -i eth1 -o eth0 -s 10.10.10.0/24 -m conntrack --ctstate NEW -j ACCEPT

    # Allow established traffic to pass back and forth
    -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    *nat
    # Masquerade traffic from VPN to "the world" -- done in the nat table
    -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

    # Masquerade traffic from LAN to "the world"
    -t nat -I POSTROUTING -o eth0 -s 10.10.0.0/24 -j MASQUERADE

    Any insight is welcome. Of course if any more info is required I'll be happy to provide it.

    Desperately yours.

  2. #2
    Just Joined!
    Join Date
    Nov 2012
    Posts
    2
    SOLVED: packets from the local network didn't know how to get back in the reverse direction (to 10.8.0.0/24). Just to be perfectly clear, this was not an OpenVPN problem. I added a static route on the 10.10.10.0/24 subnet's default gateway that forwards any traffic destined for the 10.8.0.0/24 subnet to the OpenVPN server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •