Re: OpenVPN and IP Forwarding
cletusjenkins wrote:
> I have a route table entry to the private network, so after openvpn
> makes its tun0 interface the default gw, anything heading for
> 192.168.2.0/8 should work as before, but it doesn't quite work.
Do you have firewall rules set up on your server? If so then it is
probably blocking packets coming from the tunnel. For me by default I
modified my firewall rules to accept packets from the tunnel.
> I could be misunderstanding both your suggestions and the situation
> I am trying to get working... so bear with me. The machines (on the
> private network) don't know anything about the VPN. My "router", the
> box running openvpn, is just a VPN client to an external
> server. This external server provides me an encrypted tunnel and
> from there traffic reaches the internet.
This is a good clarification. But still confusing. I think you need
to give us a block diagram or picture of things. Because in the above
it reads like you have two machines in your path where most of us
would have only one. Because you say that you vpn to a server and
that server you vpn'd to provides you access to the internet. If you
are not using the internet to get to that server then I can only
assume that you have yet another private lan segment between.
I think this next would be typical.
[192.168.2.0/8 subnet of local machines]
<->
[192.168.2.X LAN IP address of router]
[A.B.C.D1 WAN IP address of router1]
<->
[Internet] [vpn connection]
<->
[A.B.C.D2 WAN IP address of router2]
With the proper routing configuration router2 can now access any
address (or host) on the 192.168.2.0/8 subnet. And of course the
reverse too. And hosts on that private subnet can get to the Internet
at large fine using NAT at router1.
> Before installing openvpn, the machines on the private network could
> reach the internet via my "router". I am hoping for the same ip
> forwarding to work as before (without any configuration on those
> private machines) I just want their traffic to be forwarded through
> the VPN by my "router". I thought if I just configured the VPN
> properly the traffic from the private network would just be
> forwarded (along with all other traffic) through the VPN tunnel. Is
> this a reasonable expectation?
Is the above picture relevant? Do you want all packets on the private
subnet to pop out at router2 instead of router1? That will be a lower
performance solution because of the extra vpn overhead.
This is a little tricky because after the vpn is established then I
think all you need to do is to change your default route on router1 to
router2. But that isn't without problems. This configuration and
the problems with it are documented here:
http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
I will just point there instead of repeating what is said there. Is
that what you are wanting to do? Can be done. I haven't done it
myself.
> What really seems weird to me is when I bring up the VPN I can't get
> to the private network machines from my "router", but the private
> machines can ping and use web and other services running on my
> "router".
The smallest of details can completely block things. I debug these by
running tcpdump on every one of the interfaces of the router machine
and also on the client and any remote servers. By watching how the
packets traverse and where they stop you can usually figure out what
is happening. But I admit is isn't trivial.
I haven't needed to add any extra iptables rules other than to allow
packets from the tunnel itself. But if those are blocked then of
course nothing will flow so I assume you have that already. Otherwise
everything is simply routing commands in the openvpn configuration as
I posted in my other message. And I doubt those are 100% complete
since there are some other corner cases but those cover what I need.
Bob
Reply to: