vpn and dns/dhcp/firewall not on the same server

gloufiglou · Post by **gloufiglou** » Wed Aug 27, 2014 10:31 am

Hi,

My config :

. VPN server = MAYO - OS debian
openvpn installed
ip-wan = 48.xxx.xxx.253 (eth1)
ip-lan = 192.168.1.19 (eth0)
gw = 48.xxx.xxx.249
vpn network = 192.168.3.0/24
ip-vpn server = 192.168.3.1 (tun0)

. DNS/DHCP/Firewall server = GOZO - OS debian
ip-wan = 48.xxx.xxx.251 (eth1)
ip-lan = 192.168.1.2 (eth0)
gw = 48.xxx.xxx.249
internal network = netwhome

. server.conf =
port 1194
proto udp
dev tun0
ca ca.crt
cert mayo.crt
key mayo.key
dh dh1024.pem
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.3.0 255.255.255.0
push "dhcp-option DNS 193.xxx.xxx.xxx"
push "dhcp-option DNS 192.168.1.2"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 4

. ccd/client1 conf =
ifconfig-push 192.168.3.5 192.168.3.6
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"

. conf client1 (OS: Windows7) =
client
dev tun
proto udp
remote 48.xxx.xxx.253 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 5
float
route-method exe
route-delay 2

. iptables/rules =
on MAYO = nothing
on GOZO =
ACCEPT all -- 192.168.3.0/24 netwhome/24
port 1194 opened

. GOZO : route -nv =
Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface
0.0.0.0 | 48.xxx.xxx.249 | 0.0.0.0 | UG | 50 | 0 | 0 | eth1
0.0.0.0 | 192.168.1.2 | 0.0.0.0 | UG | 100 | 0 | 0 | eth0
48.xxx.xxx.248 | 0.0.0.0 | 255.255.255.248 U | 0 | 0 | 0 | eth1
169.254.0.0 | 0.0.0.0 | 255.255.0.0 | U | 1000 | 0 | 0 | eth1
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0

. MAYO : route -nv =
Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface
0.0.0.0 | 48.xxx.xxx.249 | 0.0.0.0 | UG | 50 | 0 | 0 eth1
0.0.0.0 | 192.168.1.2 | 0.0.0.0 | UG | 100 | 0 | 0 | eth0
48.xxx.xxx.248 | 0.0.0.0 | 255.255.255.248 | U | 0 | 0 | 0 | eth1
169.254.0.0 | 0.0.0.0 | 255.255.0.0 | U | 1000 | 0 | 0 | eth0
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0
192.168.3.0 | 192.168.3.2 | 255.255.255.0 | UG | 0 | 0 | 0 | tun0
192.168.3.2 | 0.0.0.0 | 255.255.255.255 | UH | 0 | 0 | 0 | tun0

My problem :
. client1 can connect to vpn server but can't connect to internet or to 192.168.1.0 network - only ping and dns resolution ok to VPN server
. if I install openvpn on GOZO server, all is ok.

Which config/route/firewall is missing (between MAYO/GOZO) ?

Any help would be appreciated.
Thank.

Post by **maikcat** » Wed Aug 27, 2014 11:07 am

i think you need to add to gozo the following route:

route add -net 192.168.3.0 255.255.255.0 gw 192.168.1.19

Michael.

gloufiglou · Post by **gloufiglou** » Wed Aug 27, 2014 11:39 am

Thanks Mickael.

Now, client1 can access to the local network. But, it can't still access to internet.

Dom

Post by **maikcat** » Wed Aug 27, 2014 12:06 pm

is your internet gateway configured to NAT traffic from 3.0 network to internet?

Michael.

gloufiglou · Post by **gloufiglou** » Wed Aug 27, 2014 12:23 pm

. on gozo and mayo :
/proc/sys/net/ipv4/ip_forward = 1
. on gozo :
iptables -A FORWARD -i eth1 -s 192.168.3.0/24 -d 48.xxx.xxx.251 -j ACCEPT
or
iptables -A FORWARD -i eth1 -s 192.168.3.0/24 -d 48.xxx.xxx.249 -j ACCEPT
doesn't resolved internet access from 3.0
But maybe i haven't the correct syntax.

Dom

Post by **maikcat** » Wed Aug 27, 2014 12:48 pm

these are FIREWALL rules not NAT rules...

use

iptables -L -t nat -v

and post the results here

Michael.

gloufiglou · Post by **gloufiglou** » Wed Aug 27, 2014 12:58 pm

@gozo] # iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 725K packets, 65M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 483K packets, 35M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 108K packets, 8378K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 15214 packets, 1055K bytes)
pkts bytes target prot opt in out source destination
22M 1438M MASQUERADE all -- any eth1 anywhere anywhere

Thks
Dom

gloufiglou · Post by **gloufiglou** » Wed Aug 27, 2014 1:09 pm

up :

on mayo :
# iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 60491 packets, 11M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 14202 packets, 1175K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3726 packets, 483K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 5013 packets, 556K bytes)
pkts bytes target prot opt in out source destination

I installed :
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE

and now :
iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 4 packets, 572 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth1 192.168.3.0/24 anywhere

and internet access is ok on the client1

thks for your help, Mickael.
Dom

OpenVPN Support Forum

vpn and dns/dhcp/firewall not on the same server

vpn and dns/dhcp/firewall not on the same server

Re: vpn and dns/dhcp/firewall not on the same server

Re: vpn and dns/dhcp/firewall not on the same server

Re: vpn and dns/dhcp/firewall not on the same server

Re: vpn and dns/dhcp/firewall not on the same server

Re: vpn and dns/dhcp/firewall not on the same server

Re: vpn and dns/dhcp/firewall not on the same server

Re: vpn and dns/dhcp/firewall not on the same server