topic Re: openvpn routing in Operating System - Linux

openvpn routing

Piotr Kirklewski — Fri, 08 Apr 2011 19:47:49 GMT

Hi there
I have the openvpn server installed end running.
Clients are connecting fine.

I did the following to the firewall and forwarding:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -s 10.10.0.0/16 -j MASQUERADE -t nat
iptables -A FORWARD -s 10.10.0.0/16 -j ACCEPT

And I can ping only the 10.10.0.4 server which is the openvpn serwer.

Can anyone please tell me why would that be ?

Regards

Peter

Re: openvpn routing

Joseph L. Casale — Sat, 09 Apr 2011 01:15:05 GMT

Peter,
There is a lot more to this, there is actual openvpn config as well as iptables (since you are using it) config to make this work.

Provide an overview of your topology including subnets to make this easy to answer as well as openvpn versions.

But basically, if you are not interested in making site-to-site connections but instead want only to allow the clients connectivity then if you are using tun devices the traffic appears on the openvpn server from the point-to-point tunnel ip that the openvpn process sets up. So you must provide routing (most easily accomplished by a server side push statement) to expose the remote server side subnet over the p-t-p tunnel to the client, and allow this via iptables and server side routing as well possibly.

As you are masq'ing traffic, I need to know more details before I can really comment specifically.

Re: openvpn routing

Piotr Kirklewski — Sat, 09 Apr 2011 16:02:48 GMT

eth0 Link encap:Ethernet HWaddr 00:0x:xx:xx:xx:xx
inet addr:10.10.0.4 Bcast:10.10.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:213683 errors:0 dropped:0 overruns:0 frame:0
TX packets:142459 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:243448843 (232.1 MiB) TX bytes:58282203 (55.5 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10007 errors:0 dropped:0 overruns:0 frame:0
TX packets:10007 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1157484 (1.1 MiB) TX bytes:1157484 (1.1 MiB)

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.25.25.1 P-t-P:10.25.25.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1936 errors:0 dropped:0 overruns:0 frame:0
TX packets:1972 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:206539 (201.6 KiB) TX bytes:1373185 (1.3 MiB)

openvpn.conf
port 1725
proto udp
dev tun1
script-security 3 system
ca /etc/openvpn/vpn/ca.crt
cert /etc/openvpn/vpn/vpn.crt
key /etc/openvpn/vpn/vpn.key
dh /etc/openvpn/vpn001bri/dh-vpn.pem
server 10.25.25.0 255.255.255.0
up "/etc/openvpn/vpn/serverup.sh vpn"
down "/etc/openvpn/vpn/serverdown.sh vpn"
down-pre
ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt
topology subnet
keepalive 10 120
tls-server
tls-auth /etc/openvpn/vpn/ta.key 0
cipher AES-128-CBC
comp-lzo
max-clients 30
user root
group root
persist-key
persist-tun
status-version 2
status /etc/openvpn/logs/openvpn-status.log
log /etc/openvpn/logs/openvpn-vpn.log
crl-verify /etc/openvpn/vpn/crl.pem
verb 3
mute 20
management 127.0.0.1 10002
push "route 10.10.0.0 255.255.255.0"

[root@vpn001bri ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.25.25.0 * 255.255.255.0 U 0 0 0 tun1
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 10.10.0.1 0.0.0.0 UG 0 0 0 eth0

Re: openvpn routing

Piotr Kirklewski — Sat, 09 Apr 2011 16:07:08 GMT

Re: openvpn routing

Joseph L. Casale — Sat, 09 Apr 2011 16:36:15 GMT

Peter,
Here is what i see:
I assume the openvpn version on the server is recent from some of the options, but you never stated, also don't know what the client version is. I don't know what's in your scripts either.

1. You are using Tun devices and in routing mode, so no need to masq traffic, proper routes and iptables will do it!

2. You're internal network on the vpn server is accessible via eth0 10.10.0.4/16, yet your vpn server config pushes a /24 route. Not good, change your server conf to:
push "route 10.10.0.0 255.255.0.0"

3. Route table on vpn server looks good. Client is obviously wrong as per server conf.

4. What is left is the potential for any iptables changes on the server, correct the push/route and send a redacted copy of the iptabels rules.

HTH