NETWORK TOPOLOGY
Internal LAN 172.30.66.0/24
VPN IP 172.30.66.157
Public IP xxx.xxx.xxx.167
VPN TUN IP 10.8.0.1
Router/Firewall/Gateway 172.30.66.1 ( Separate server from the VPN server)
Public IP xxx.xxx.xxx.161
Server Config
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.30.66.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
explicit-exit-notify 1
Client Config
client
dev tun
proto udp
remote xxx.xxx.xxx.167 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 4
ROUTING AND FIREWALL INFO
Network and routing info for the gateway/router
Code: Select all
eth0 Link encap:Ethernet HWaddr 00:15:17:B8:E0:34
inet addr:172.30.66.1 Bcast:172.30.66.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:feb8:e034/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60590989 errors:0 dropped:0 overruns:0 frame:0
TX packets:124713096 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4959044399 (4.6 GiB) TX bytes:79112208698 (73.6 GiB)
Interrupt:28 Memory:da020000-da040000
eth1 Link encap:Ethernet HWaddr 00:15:17:B8:E0:35
inet addr:xxx.xxx.xxx.62 Bcast:xxx.xxx.xxx.63 Mask:255.255.255.252
inet6 addr: fe80::215:17ff:feb8:e035/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:143591842 errors:0 dropped:0 overruns:0 frame:0
TX packets:433909800 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:87043706669 (81.0 GiB) TX bytes:166155469966 (154.7 GiB)
Interrupt:36 Memory:da060000-da080000
eth2 Link encap:Ethernet HWaddr 00:15:17:B8:E0:36
inet addr:xxx.xxx.xxx.161 Bcast:xxx.xxx.xxx.175 Mask:255.255.255.240
inet6 addr: fe80::215:17ff:feb8:e036/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:374270778 errors:0 dropped:0 overruns:0 frame:0
TX packets:2437893 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:158649519904 (147.7 GiB) TX bytes:552647203 (527.0 MiB)
Interrupt:36 Memory:da120000-da140000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:688 (688.0 b) TX bytes:688 (688.0 b)
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.60 * 255.255.255.252 U 0 0 0 eth1
xxx.xxx.xxx.160 * 255.255.255.240 U 0 0 0 eth2
172.30.66.0 * 255.255.255.0 U 0 0 0 eth0
10.8.0.0 172.30.66.157 255.255.255.0 UG 0 0 0 eth0
default xxx.xxx.xxx.61. 0.0.0.0 UG 0 0 0 eth1
Code: Select all
eth2 Link encap:Ethernet HWaddr A0:36:9F:E2:B3:2E
inet addr:xxx.xxx.xxx.167 Bcast:xxx.xxx.xxx.175 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8222 errors:0 dropped:0 overruns:0 frame:0
TX packets:2009 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1235747 (1.1 MiB) TX bytes:462680 (451.8 KiB)
eth3 Link encap:Ethernet HWaddr A0:36:9F:E2:B3:2F
inet addr:172.30.66.157 Bcast:172.30.66.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38220 errors:0 dropped:0 overruns:0 frame:0
TX packets:696 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9821255 (9.3 MiB) TX bytes:64314 (62.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:424 errors:0 dropped:0 overruns:0 frame:0
TX packets:424 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:36072 (35.2 KiB) TX bytes:228498 (223.1 KiB)
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
209.117.52.160 * 255.255.255.240 U 0 0 0 eth2
172.30.66.0 * 255.255.255.0 U 0 0 0 eth3
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
default Router-Eth0-P 0.0.0.0 UG 0 0 0 eth3
Code: Select all
Chain INPUT (policy ACCEPT 34819 packets, 9286K bytes)
pkts bytes target prot opt in out source destination
5659 1040K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 115 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 52 ACCEPT tcp -- * * 172.30.66.0/24 0.0.0.0/0 tcp dpt:22
2 104 ACCEPT tcp -- * * 10.8.0.0/24 0.0.0.0/0 tcp dpt:22
4 160 DROP tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- eth3 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1195
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 4 packets, 160 bytes)
pkts bytes target prot opt in out source destination
24 3232 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ eth3 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
21 4265 ACCEPT all -- eth3 tun+ 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 2426 packets, 520K bytes)
pkts bytes target prot opt in out source destination
448 231K ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
Code: Select all
Chain INPUT (policy ACCEPT 1607 packets, 117K bytes)
pkts bytes target prot opt in out source destination
289 254K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
10 688 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 172.30.66.0/24 0.0.0.0/0 udp dpt:161
0 0 ACCEPT tcp -- eth0 * 172.30.66.0/24 0.0.0.0/0 tcp dpt:161
221K 13M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10050
101M 59G ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6732 431K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
285 12124 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
973 58340 ACCEPT tcp -- * * 172.30.66.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
17337 1158K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
1200 394K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10050
0 0 ACCEPT esp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 ACCEPT 2 -- tun0 * 0.0.0.0/0 0.0.0.0/0
235K 57M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
5168 226K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
Chain FORWARD (policy ACCEPT 26053 packets, 1581K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 * 172.20.176.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.176.64/28 policy match dir out pol ipsec reqid 2 proto 50
86M 44G ACCEPT all -- eth1 * 172.20.168.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 1 proto 50
39M 1833M ACCEPT all -- * eth1 172.30.66.0/24 172.20.168.64/28 policy match dir out pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- eth1 * 172.20.176.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.176.64/28 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth1 * 172.20.168.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.168.64/28 policy match dir out pol ipsec reqid 1 proto 50
12M 1317M ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
14M 22G ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
149K 9702K ACCEPT all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
173K 246M ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
313M 128G ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0
2039K 458M ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.30.66.157 udp dpt:1195 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth3 10.8.0.0/24 172.30.66.0/24 ctstate NEW
28 1568 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 103K packets, 7158K bytes)
pkts bytes target prot opt in out source destination
46M 5245M ACCEPT esp -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * eth1 0.0.0.0/0 0.0.0.0/0
18 2960 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500