Re: OpenVPN and IP Forwarding
Bonno Bloksma wrote:
> > I have a machine with an internet connection, it acts as a router
> > for other systems on a private network (192.168.2.0/8).
> > I setup a VPN client with openvpn on this machine, the VPN works
> > perfectly, but when connected to the VPN the machine does not
> > route for the private network systems.
> >
> > I can ping the machine from the private network, but not the other
> > way around. I don't understand why I lose this connection.
> > I have a webserver running on the machine and I can view its
> > websites from the private network when the VPN is running,
> > but I can't seem to initiate a connection from the machine to the
> > private network.
>
> Look at the following:
> Do the clients connecting via the VPN know what the ip-numbers are
> on the other side? Do they know to send that traffic via the vpn
> tunnel and not to the default gateway on the cient?
>
> Does the webserver know what to do with the ip-numbers coming from
> the vpn tunnel? If it sends the answer to the default gateway does
> the answer end up on a machine that knows what to do with it?
>
> Those are the most common problems with VPN traffic.
Good suggestions.
> Look at something like push "route 192.168.2.0 255.255.255.0" in
> your cfg file on the server to tell the clients where to send
> traffic.
For me on my server openvpn side I include a "server" line similar to:
# Configure server mode. Equivalent to:
# mode server
# tls-server
# ifconfig 10.0.0.1 10.0.0.2
# ifconfig-pool 10.0.0.4 10.0.0.251
# route 10.0.0.0 255.255.255.0
# push "route 10.0.0.1"
server 10.0.0.0 255.255.255.0
It is good to always use randomized or unique subnets. That way all
subnets are always different and unique on both sides of the router so
that packets can be routed. The 10.0.0.0/24 above is only an example
and should be unique for your installations.
I also have:
# Set up the client configuration directory so that each client can be
# assigned a static IP address.
client-config-dir ccd
# Configure point-to-point mode in that we do not need to work around
# ms-windows bugs. The default is to assume the need to work around
# ms-windows routing bugs and set up a /30 subnet for each client.
topology p2p
Then since I also have additional routes I need to push to clients I
also have some additional routes in the server configuration.
# This router routes to the following subnets. Push these routes to
# the clients so that they can route to these subnets too.
push "route 10.1.2.3.0 255.255.255.0"
push "route 10.3.2.1.0 255.255.255.0"
And to push DNS information to the clients. (I use bind9+resolvconf
and so also need to modify the client side to make use fo this data.
But if you only use dhclient then this modifies /etc/resolv.conf by
itself appropriately.)
# Configure the local DNS nameservers to get to the private names.
push "dhcp-option DNS 10.1.2.3.101"
push "dhcp-option DNS 10.1.2.3.121"
push "dhcp-option DOMAIN example.com"
On the server for each client such as for client foo I have a file:
ccd/foo
ifconfig-push 10.0.0.2 10.0.0.1
> > I searched and found some instructions with iptables commands that
> > would allow ip forwarding over the VPN,
> > but it didn't seem to make any difference:
> >
> > iptables -A FORWARD -s 192.168.2.0/8 -o eth1 -j ACCEPT iptables -A FORWARD -s 192.168.2.0/8 -o eth1 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.2.0/8 -o eth1 -j MASQUERADE
>
> Masquerading tricks on a VPN are usually only needed if the other
> side is ALSO using the same, in this case 192.168.2.0, network.
Agreed. Better to use unique subnets on both sides so that routing is
then unambiguous.
Be sure to remove your iptables hacks so that they do not linger and
cause more confusion later.
Bob
Reply to: