[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: OpenVPN and IP Forwarding

---- On Tue, 15 Jan 2013 02:23:29 -0800 Bonno Bloksma<b.bloksma@tio.nl> wrote ---- 

 > Hi, 
 >  
 > > I have a machine with an internet connection, it acts as a router for other systems on a private network (192.168.2.0/8). 
 > > I setup a VPN client with openvpn on this machine, the VPN works perfectly, but when connected to the VPN the machine does not route for the private network systems. 
 > > 
 > > I can ping the machine from the private network, but not the other way around. I don't understand why I lose this connection. 
 > > I have a webserver running on the machine and I can view its websites from the private network when the VPN is running, 
 > > but I can't seem to initiate a connection from the machine to the private network. 
 >  
 > Look at the following: 
 > Do the clients connecting via the VPN know what the ip-numbers are on the other side? Do they know to send that traffic via the vpn tunnel and not to the default gateway on the cient? 
 > Does the webserver know what to do with the ip-numbers coming from the vpn tunnel? If it sends the answer to the default gateway does the answer end up on a machine that knows what to do with it? 

I have a route table entry to the private network, so after openvpn makes its tun0 interface the default gw, anything heading for 192.168.2.0/8 should work as before, but it doesn't quite work.

 >  
 > Those are the most common problems with VPN traffic. 
 > Look at something like push "route 192.168.2.0 255.255.255.0" in your cfg file on the server to tell the clients where to send traffic. 
 >  
 > > I searched and found some instructions with iptables commands that would allow ip forwarding over the VPN, 
 > > but it didn't seem to make any difference: 
 > > iptables -A FORWARD -s 192.168.2.0/8 -o eth1 -j ACCEPT iptables -A FORWARD -s 192.168.2.0/8 -o eth1 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.2.0/8 -o eth1 -j MASQUERADE 
 >  
 > Masquerading tricks on a VPN are usually only needed if the other side is ALSO using the same, in this case 192.168.2.0, network. 
 >  
 > Bonno Bloksma 

I could be misunderstanding both your suggestions and the situation I am trying to get working... so bear with me. The machines (on the private network) don't know anything about the VPN. My "router", the box running openvpn, is just a VPN client to an external server. This external server provides me an encrypted tunnel and from there traffic reaches the internet. Before installing openvpn, the machines on the private network could reach the internet via my "router". I am hoping for the same ip forwarding to work as before (without any configuration on those private machines) I just want their traffic to be forwarded through the VPN by my "router". I thought if I just configured the VPN properly the traffic from the private network would just be forwarded (along with all other traffic) through the VPN tunnel. Is this a reasonable expectation?

What really seems weird to me is when I bring up the VPN I can't get to the private network machines from my "router", but the private machines can ping and use web and other services running on my "router".

Maybe I should try using the tun0 interface created by openvpn in those iptables commands rather than eth1.

Thanks.
Reply to: