network newbie seeks assistance debugging iptables for VPN tunnel
[note: following contains ASCII art in the middle, and footnoted links at the end]
summary: I need to tunnel one SSL VPN (F5, running on one debian host) through another (OpenVPN, running on another debian host), but lose networking (e.g., `ping`) after the F5 VPN connects. I'm not sure whether this is due to my firewall/iptables or VPN configuration, but suspect the former. Unfortunately I am not knowledgeable regarding networking, so I'd appreciate any assistance you could provide.
details:
I need to remotely (off the physical LAN) SSH into some firewalled compute clusters to do environmental modeling (e.g., this[1]). Formerly I could do this from my debian laptop using the cluster-provider-mandated F5VPN[2]. However, access policy changed[3] (notably to require a single registered IP#), so I can no longer do this "directly" (i.e., just running the F5VPN from my laptop). I seek to adapt to the new policy (and resume work on my project) by implementing a VPN tunnel "through" a debian linode. Design details here[4], but my design can be roughly summarized with the following ASCII art (appropriately rendered here[4]):
<-MY CONTROL AGENCY CONTROLLED->
firewall
+----------+ +-----------+ +---------------+ | +---------+
| laptop + | | linode + | | remote-access | | | cluster |
| F5NAP + | <--> | OpenVPN + | <--> | website + | <-|-> | node(s) |
| OpenVPN | | security | | F5VPN | | | |
+----------+ +-----------+ +---------------+ | +---------+
(Implementation details here[5]) The good news is, the following sequence works: I can
1. start an OpenVPN server on the linode[6]
2. start an OpenVPN client on my laptop[7], after which http://www.whatismyip.com shows the IP# of my linode (which is registered)
3. start the F5VPN client (an F5NAP'ed Firefox[8]), and from that still see my linode's IP#.
4. using the F5VPN client, login to the agency's remote-access website, and bring up the F5VPN's control UI (e.g., to start/stop/logout).
The bad news is[9], as soon as I start the F5VPN, and see status==Connected in its web UI, I lose IP networking. I had originally thought this was just a DNS problem, but I cannot even `ping` IP#s, e.g.,
$ ping -c 4 141.101.120.15 # == www.whatismyip.com
PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data.
--- 141.101.120.15 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms
(The only consolation here is that the network failure kills the tunnel, which causes my client to regain its networking ... but also its access to the registered IP#.)
I had thought that this problem was due to OpenVPN misconfiguration on my part, but now suspect that I need to tweak my server firewall[10] (which is `iptables`, running on Debian 7.8) in order to allow my OpenVPN configuration to work. Unfortunately I don't know enough about IP/TCP/UDP/Linux/Debian networking, so I'd appreciate assistance from someone more knowledgeable.
Apologies if this is a FAQ or LMGTFY, but my websearches have not found anything that seems to matching my usecase. Pointers to doc or other educational resources are also appreciated.
TIA, Tom Roche <Tom_Roche@pobox.com>
[1]: https://bitbucket.org/tlroche/aqmeii-na_n2o/wiki/Home
[2]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-aug-2014-policy-change
[4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[5]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-id6
[6]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-server-startup
[7]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-client-startup
[8]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[9]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-network-problem
[10]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt
Reply to: