Problems with return route
Posted: Thu May 11, 2017 9:52 pm
I have setup an OpenVPN server to directly access additional machines behind my OpenVPN server from several remote clients. I'd also like the machines behind the OpenVPN server to be able to route back to the remote clients. That is where my problem lies. I am able to reach all my machines behind the OpenVPN server, but cannot reach any client machines from any machine behind the OpenVPN server. Another thing I should mention is I do not want any clients web traffic or anything else going thru the VPN. All web based traffic should go out the clients default gateway. I only want to be able to access the machines and send some data between the machines.
NETWORK TOPOLOGY
Internal LAN 172.30.66.0/24
VPN IP 172.30.66.157
Public IP xxx.xxx.xxx.167
VPN TUN IP 10.8.0.1
Router/Firewall/Gateway 172.30.66.1 ( Separate server from the VPN server)
Public IP xxx.xxx.xxx.161
Server Config
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.30.66.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
explicit-exit-notify 1
Client Config
client
dev tun
proto udp
remote xxx.xxx.xxx.167 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 4
I have added the route 10.8.0.0/24 via 172.30.66.157 on my gateway and enabled ipforwarding on the VPN server.
ROUTING AND FIREWALL INFO
Network and routing info for the gateway/router
Network and routing info for the VPN server
Now I have a feeling my firewall is causing this. I've tried several different configurations both on the VPN and on the Router.
Current IPTABLES on the VPN
Current IPTABLES on the router/gateway
So I am unsure what I need to add to IPTABLES for this work. Any help is greatly appreciated. Thanks.
NETWORK TOPOLOGY
Internal LAN 172.30.66.0/24
VPN IP 172.30.66.157
Public IP xxx.xxx.xxx.167
VPN TUN IP 10.8.0.1
Router/Firewall/Gateway 172.30.66.1 ( Separate server from the VPN server)
Public IP xxx.xxx.xxx.161
Server Config
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.30.66.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
explicit-exit-notify 1
Client Config
client
dev tun
proto udp
remote xxx.xxx.xxx.167 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 4
I have added the route 10.8.0.0/24 via 172.30.66.157 on my gateway and enabled ipforwarding on the VPN server.
ROUTING AND FIREWALL INFO
Network and routing info for the gateway/router
Code: Select all
eth0 Link encap:Ethernet HWaddr 00:15:17:B8:E0:34
inet addr:172.30.66.1 Bcast:172.30.66.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:feb8:e034/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60590989 errors:0 dropped:0 overruns:0 frame:0
TX packets:124713096 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4959044399 (4.6 GiB) TX bytes:79112208698 (73.6 GiB)
Interrupt:28 Memory:da020000-da040000
eth1 Link encap:Ethernet HWaddr 00:15:17:B8:E0:35
inet addr:xxx.xxx.xxx.62 Bcast:xxx.xxx.xxx.63 Mask:255.255.255.252
inet6 addr: fe80::215:17ff:feb8:e035/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:143591842 errors:0 dropped:0 overruns:0 frame:0
TX packets:433909800 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:87043706669 (81.0 GiB) TX bytes:166155469966 (154.7 GiB)
Interrupt:36 Memory:da060000-da080000
eth2 Link encap:Ethernet HWaddr 00:15:17:B8:E0:36
inet addr:xxx.xxx.xxx.161 Bcast:xxx.xxx.xxx.175 Mask:255.255.255.240
inet6 addr: fe80::215:17ff:feb8:e036/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:374270778 errors:0 dropped:0 overruns:0 frame:0
TX packets:2437893 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:158649519904 (147.7 GiB) TX bytes:552647203 (527.0 MiB)
Interrupt:36 Memory:da120000-da140000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:688 (688.0 b) TX bytes:688 (688.0 b)
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
xxx.xxx.xxx.60 0.0.0.0 255.255.255.252 U 0 0 0 eth1
xxx.xxx.xxx.160 0.0.0.0 255.255.255.240 U 0 0 0 eth2
172.30.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 xxx.xxx.xxx.61 0.0.0.0 UG 0 0 0 eth1
Code: Select all
eth2 Link encap:Ethernet HWaddr A0:36:9F:E2:B3:2E
inet addr:xxx.xxx.xxx.167 Bcast:xxx.xxx.xxx.175 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64685 errors:0 dropped:0 overruns:0 frame:0
TX packets:25264 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13388218 (12.7 MiB) TX bytes:5637319 (5.3 MiB)
eth3 Link encap:Ethernet HWaddr A0:36:9F:E2:B3:2F
inet addr:172.30.66.157 Bcast:172.30.66.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:292466 errors:0 dropped:0 overruns:0 frame:0
TX packets:23722 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:76736264 (73.1 MiB) TX bytes:9759162 (9.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:29 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2578 (2.5 KiB) TX bytes:2578 (2.5 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:5432 (5.3 KiB)
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
xxx.xxx.xxx.160 * 255.255.255.240 U 0 0 0 eth2
172.30.66.0 * 255.255.255.0 U 0 0 0 eth3
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
default Router-Eth0-P 0.0.0.0 UG 0 0 0 eth3
Current IPTABLES on the VPN
Code: Select all
Chain INPUT (policy ACCEPT 50 packets, 13479 bytes)
pkts bytes target prot opt in out source destination
92 8184 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- eth3 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ eth3 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth3 tun+ 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 84 packets, 13052 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
Code: Select all
Chain INPUT (policy ACCEPT 1607 packets, 117K bytes)
pkts bytes target prot opt in out source destination
289 254K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
10 688 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 172.30.66.0/24 0.0.0.0/0 udp dpt:161
0 0 ACCEPT tcp -- eth0 * 172.30.66.0/24 0.0.0.0/0 tcp dpt:161
221K 13M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10050
101M 59G ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6732 431K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
285 12124 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
973 58340 ACCEPT tcp -- * * 172.30.66.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
17337 1158K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
1200 394K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10050
0 0 ACCEPT esp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
235K 57M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
5168 226K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
Chain FORWARD (policy ACCEPT 26053 packets, 1581K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 * 172.20.176.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.176.64/28 policy match dir out pol ipsec reqid 2 proto 50
86M 44G ACCEPT all -- eth1 * 172.20.168.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 1 proto 50
39M 1833M ACCEPT all -- * eth1 172.30.66.0/24 172.20.168.64/28 policy match dir out pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- eth1 * 172.20.176.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.176.64/28 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth1 * 172.20.168.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.168.64/28 policy match dir out pol ipsec reqid 1 proto 50
12M 1317M ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
14M 22G ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
149K 9702K ACCEPT all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
173K 246M ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
313M 128G ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0
2039K 458M ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 350 ACCEPT udp -- eth1 eth2 0.0.0.0/0 xxx.xxx.xxx.167 udp dpt:1195
0 0 ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 103K packets, 7158K bytes)
pkts bytes target prot opt in out source destination
46M 5245M ACCEPT esp -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * eth1 0.0.0.0/0 0.0.0.0/0
18 2960 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500