Multicast to remote clients thru VPN

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
msu0781
OpenVpn Newbie
Posts: 5
Joined: Thu May 11, 2017 7:22 pm

Multicast to remote clients thru VPN

Post by msu0781 » Wed May 24, 2017 5:56 pm

I have setup an OpenVPN server for remote clients to access a server that will be sending them multicast traffic, however I am unable to receive any multicast traffic. The application makes a successful connection to the server in question, but traffic is not flowing. Is this possible in a TUN setup? I would like to avoid a bridged setup if possible.


NETWORK TOPOLOGY
Internal LAN 172.30.66.0/24

VPN IP 172.30.66.157
Public IP xxx.xxx.xxx.167
VPN TUN IP 10.8.0.1

Router/Firewall/Gateway 172.30.66.1 ( Separate server from the VPN server)
Public IP xxx.xxx.xxx.161

Server Config
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.30.66.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
explicit-exit-notify 1

Client Config
client
dev tun
proto udp
remote xxx.xxx.xxx.167 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 4

ROUTING AND FIREWALL INFO

Network and routing info for the gateway/router

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:34
          inet addr:172.30.66.1  Bcast:172.30.66.255  Mask:255.255.255.0
          inet6 addr: fe80::215:17ff:feb8:e034/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60590989 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124713096 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4959044399 (4.6 GiB)  TX bytes:79112208698 (73.6 GiB)
          Interrupt:28 Memory:da020000-da040000

eth1      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:35
          inet addr:xxx.xxx.xxx.62  Bcast:xxx.xxx.xxx.63  Mask:255.255.255.252
          inet6 addr: fe80::215:17ff:feb8:e035/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:143591842 errors:0 dropped:0 overruns:0 frame:0
          TX packets:433909800 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:87043706669 (81.0 GiB)  TX bytes:166155469966 (154.7 GiB)
          Interrupt:36 Memory:da060000-da080000

eth2      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:36
          inet addr:xxx.xxx.xxx.161  Bcast:xxx.xxx.xxx.175  Mask:255.255.255.240
          inet6 addr: fe80::215:17ff:feb8:e036/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:374270778 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2437893 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:158649519904 (147.7 GiB)  TX bytes:552647203 (527.0 MiB)
          Interrupt:36 Memory:da120000-da140000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:688 (688.0 b)  TX bytes:688 (688.0 b)

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
xxx.xxx.xxx.60  *               255.255.255.252 U     0      0        0 eth1
xxx.xxx.xxx.160  *               255.255.255.240 U     0      0        0 eth2
172.30.66.0     *               255.255.255.0   U     0      0        0 eth0
10.8.0.0        172.30.66.157   255.255.255.0   UG    0      0        0 eth0
default         xxx.xxx.xxx.61. 0.0.0.0         UG    0      0        0 eth1
Network and routing info for the VPN server

Code: Select all

eth2      Link encap:Ethernet  HWaddr A0:36:9F:E2:B3:2E
          inet addr:xxx.xxx.xxx.167  Bcast:xxx.xxx.xxx.175  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2009 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1235747 (1.1 MiB)  TX bytes:462680 (451.8 KiB)

eth3      Link encap:Ethernet  HWaddr A0:36:9F:E2:B3:2F
          inet addr:172.30.66.157  Bcast:172.30.66.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38220 errors:0 dropped:0 overruns:0 frame:0
          TX packets:696 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9821255 (9.3 MiB)  TX bytes:64314 (62.8 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:424 errors:0 dropped:0 overruns:0 frame:0
          TX packets:424 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:36072 (35.2 KiB)  TX bytes:228498 (223.1 KiB)

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
209.117.52.160  *               255.255.255.240 U     0      0        0 eth2
172.30.66.0     *               255.255.255.0   U     0      0        0 eth3
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
default         Router-Eth0-P 0.0.0.0         UG    0      0        0 eth3
Current IPTABLES on the VPN

Code: Select all

Chain INPUT (policy ACCEPT 34819 packets, 9286K bytes)
 pkts bytes target     prot opt in     out     source               destination
 5659 1040K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    2   115 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    1    52 ACCEPT     tcp  --  *      *       172.30.66.0/24       0.0.0.0/0           tcp dpt:22
    2   104 ACCEPT     tcp  --  *      *       10.8.0.0/24          0.0.0.0/0           tcp dpt:22
    4   160 DROP       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  eth3   *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1195
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 4 packets, 160 bytes)
 pkts bytes target     prot opt in     out     source               destination
   24  3232 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun+   eth3    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   21  4265 ACCEPT     all  --  eth3   tun+    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 2426 packets, 520K bytes)
 pkts bytes target     prot opt in     out     source               destination
  448  231K ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0
Current IPTABLES on the router/gateway

Code: Select all

Chain INPUT (policy ACCEPT 1607 packets, 117K bytes)
 pkts bytes target     prot opt in     out     source               destination
  289  254K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
   10   688 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth0   *       172.30.66.0/24       0.0.0.0/0           udp dpt:161
    0     0 ACCEPT     tcp  --  eth0   *       172.30.66.0/24       0.0.0.0/0           tcp dpt:161
 221K   13M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10050
 101M   59G ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 6732  431K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  285 12124 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
  973 58340 ACCEPT     tcp  --  *      *       172.30.66.0/24       0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
17337 1158K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67
 1200  394K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10050
    0     0 ACCEPT     esp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500
     0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast
    0     0 ACCEPT     2    --  tun0   *       0.0.0.0/0            0.0.0.0/0
 235K   57M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0
 5168  226K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02

Chain FORWARD (policy ACCEPT 26053 packets, 1581K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth1   *       172.20.176.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.176.64/28    policy match dir out pol ipsec reqid 2 proto 50
  86M   44G ACCEPT     all  --  eth1   *       172.20.168.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 1 proto 50
  39M 1833M ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.168.64/28    policy match dir out pol ipsec reqid 1 proto 50
    0     0 ACCEPT     all  --  eth1   *       172.20.176.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.176.64/28    policy match dir out pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  eth1   *       172.20.168.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 1 proto 50
    0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.168.64/28    policy match dir out pol ipsec reqid 1 proto 50
  12M 1317M ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0
  14M   22G ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 149K 9702K ACCEPT     all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
 173K  246M ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 313M  128G ACCEPT     all  --  eth2   eth1    0.0.0.0/0            0.0.0.0/0
2039K  458M ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            172.30.66.157       udp dpt:1195 state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun0   eth3    10.8.0.0/24          172.30.66.0/24      ctstate NEW
   28  1568 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED

 
Chain OUTPUT (policy ACCEPT 103K packets, 7158K bytes)
 pkts bytes target     prot opt in     out     source               destination
  46M 5245M ACCEPT     esp  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      eth1    0.0.0.0/0            0.0.0.0/0
   18  2960 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
    0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500
Any help is greatly appreciated. Thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Multicast to remote clients thru VPN

Post by TinCanTech » Wed May 24, 2017 7:23 pm

msu0781 wrote:setup an OpenVPN server for remote clients to access a server that will be sending them multicast traffic
Which multicast did you have in mind ?

msu0781
OpenVpn Newbie
Posts: 5
Joined: Thu May 11, 2017 7:22 pm

Re: Multicast to remote clients thru VPN

Post by msu0781 » Wed May 24, 2017 7:39 pm

Thanks for your reply. IP Mutlicast is what I am looking for.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Multicast to remote clients thru VPN

Post by TinCanTech » Wed May 24, 2017 8:12 pm

So like 224/8 ?

msu0781
OpenVpn Newbie
Posts: 5
Joined: Thu May 11, 2017 7:22 pm

Re: Multicast to remote clients thru VPN

Post by msu0781 » Wed May 24, 2017 8:15 pm

Yes exactly that.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Multicast to remote clients thru VPN

Post by TinCanTech » Wed May 24, 2017 9:11 pm

Bridge+TAP is probably the easiest solution ..

Comments welcome .. :geek:

msu0781
OpenVpn Newbie
Posts: 5
Joined: Thu May 11, 2017 7:22 pm

Re: Multicast to remote clients thru VPN

Post by msu0781 » Wed May 24, 2017 9:48 pm

Ya I would like to avoid that setup if at all possible, at least the bridge part. I don't mind switching to TAP. Is Bridged + TAP the only way to accomplish this? Is there an IPTABLES setting I am missing. I read that the TTL needs to be increased for multicast, but I am unsure how to do that. Maybe I am missing a prerouting statement from IPTABLES. Again I am unsure on that one.

Post Reply