Client issue in config - Proper routing rather than NAT/MASQUERADE

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
slime-uk
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 12, 2016 11:55 am

Client issue in config - Proper routing rather than NAT/MASQUERADE

Post by slime-uk » Mon Dec 12, 2016 12:28 pm

Hi,

I've been trying to get OpenVPN setup for months and finally have it working! Except I had to resort to a NAT rule on the client rather than what I consider proper routing. Can somebody assist me that knows more about this than me?

So - I have on my home network (UK) an OpenVPN server running on a Raspberry Pi 3. On my client network which will eventually be a holiday home (in Cyprus), I have an ISP provided router (which I really can't change and not even sure we can configure it) which I will then plug in a DD-WRT router running OpenVPN client.

To simulate this I currently have the Raspberry Pi on my home network and another network setup for me to test. This is currently simulated as a USB 4/3G connection on a router with the said Belkin DD-WRT router plugged into it. It's working through the 4/3G to my home network but I've had to enable NAT on the Belkin OpenVPN config (iptables).

Here's a diagram of what I'm trying to achieve:
Image

This is so my parents (in Cyprus) can leave everything as is, but simply connect another (the new DD-WRT) router from the WAN port into current ISP router LAN port. Then they can simply use VPN by connecting to a new Wi-Fi network. Everything else will be as it was. One main reason for this is they want to use Amazon Fire Stick for TV and I really tried to get OpenVPN for Android on it but it just wan't working - so dual router setup should be better and easier.

So, this is all working as I want - send everything (including DNS) down the OpenVPN tunnel. I just would like to understand exactly what routing info I'm missing. Or how do I configure the client side network routers to overcome this NAT issue (double NAT I guess??)?

I have opened 1194 UDP port into my home network. The pi is configured to forward IPv4. The iptables on the Pi is:

Code: Select all

# Dec 2016 - using this as it also allows internet access and local LAN
iptables -I FORWARD -i tun0 -o eth0 \
        -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
        -j ACCEPT
The home router also has a static route to the VPN network 10.8.0.0/22 via the Raspberry Pi address (192.168.16.16/22).

I have on the (simulated) holiday home main router added a static route to 192.168.20.0/24 via the static LAN address (192.168.10.50) or WAN address on the DD-WRT router. I have also added a rule on the DD-WRT 2nd router to allow it to forward requests to 192.168.10.0/24.

So, here's the IPTABLES on the Belkin DD-WRT which I don't feel is what I really want!

Code: Select all

iptables -I FORWARD -s 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
#This is the line I need for it to work but how to do it without this?
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
If I comment this last line out the VPN connects but I have no route from behind the other router - nothing works. If I add the last line in (as shown) everything works. So when connected to the VPN, browsing shows my home IP and no DNS leak. Traceroutes all look good as I'd expect. I can connect to the first router as everything is as it should be (no VPN).

Can someone explain it to me and help me understand why I need the MASQUERADE? Is there any way around it with dual router client setup?

Thanks so much.

Regards,
Si.

slime-uk
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 12, 2016 11:55 am

Re: Client issue in config - Proper routing rather than NAT/MASQUERADE

Post by slime-uk » Sun Dec 18, 2016 9:05 am

Anyone help please?

TIA :)

slime-uk
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 12, 2016 11:55 am

Re: Client issue in config - Proper routing rather than NAT/MASQUERADE

Post by slime-uk » Tue Jun 13, 2017 10:29 am

Hi,

I started again with a similar configuration but better hardware. I have replaced the Raspberry PI (in the UK) and the Belkin OpenVPN client router with Asus RT-AC68U devices running Kong build of DD-WRT.

The Open VPN server is now on 10.11.12.1 and 1st client (Cyprus) ends up being 10.11.12.2 so the OVPN subnet is now 10.11.12.0/24.

I have updated the diagram with IP/subnet changes in RED.
Image

I still have to enable NAT though (and tick to disable firewall) on the Open VPN client config page in the DD-WRT firmware Cyprus side. The actual SPI firewalls are still running on both routers, I'm just talking about the NAT and use firewall oprions on the Open VPN client page under DD-WRT.

I can get to and administer ALL routers (even the cyprus one surprisingly), so I'd love to get this working without NAT.
I must be missing a 10.11.12.0/24 static route entry on one of the routers but I'm confused about which one. Without NAT option on the client, any windows clients my Mum connects to the Asus in Cyprus can see the VPN tunnel but not get anywhere (all tracerts just timeout from her end). Or, maybe I'm missing an IPTABLES rule somewhere but I see no drop packets in both Asus firewall logs (I set syslogd to medium and log drops). I see lots of telnet drops her end!

I can see, from the UK network, her Asus on the VPN address 10.11.12.2 and of course the Asus here (OVPN server) on 10.11.12.1.

So, without the NAT option on her end, if I SSH into her Asus (on 10.11.12.2) from here, and issue a tracert to any address it seems fine. nslookups also seem fine, but clients connected to it (which I can not administer from here) do not work. I enable NAT as I say and it works.

Help!!

Thanks,
Slime.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4173
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client issue in config - Proper routing rather than NAT/MASQUERADE

Post by TinCanTech » Tue Jun 13, 2017 1:01 pm

slime-uk wrote:without the NAT option on her end, if I SSH into her Asus (on 10.11.12.2) from here, and issue a tracert to any address it seems fine. nslookups also seem fine, but clients connected to it (which I can not administer from here) do not work. I enable NAT as I say and it works
They probably need a route to the VPN subnet ..

slime-uk
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 12, 2016 11:55 am

Re: Client issue in config - Proper routing rather than NAT/MASQUERADE

Post by slime-uk » Tue Jun 13, 2017 2:21 pm

Thanks. I have already added on their ISP provided router 2 routes - but I'm not fully undertstanding this, so I did guess! Here's what I have:

ip rtadd 192.168.50.0/24 gw 192.168.10.250 via LocalNetwork
ip rtadd 10.11.12.0/24 gw 192.168.10.250 via LocalNetwork

My guess was that the ISP provided router would need to know where to send packets destined for 192.168.50.x/24 and the VPN subnet of 10.11.12.x/24 and so I set both to the ISP provided LAN address of the Asus (192.168.10.250).

I'm pretty sure I did similar on the Asus - well I certainly told it what to accept traffic from 192.168.10.x/24 in IPTABLES:

So, this is the firewall script saved in DD-WRT in their Asus (Cyprus side) Open VPN client:
# allow traffic to flow from cyprus main router
iptables -I FORWARD -s 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT

I guessed from what I've read that the DD-WRT openvpn client router would be aware of the 10.11.12.x/24 subnet. I guess it is, but clients connected to it are not? Is that the issue here? It certainly feels that way typing this in!

I do push route from open vpn server too - here's the "additional config" section on the Open VPN server in the UK:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.16.0 255.255.252.0"
push "route 10.11.12.0 255.255.255.0"
server 10.11.12.0 255.255.255.0
dev tun0
keepalive 10 120

Is this the correct approach? What am I missing?

Thanks,
Slime.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4173
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client issue in config - Proper routing rather than NAT/MASQUERADE

Post by TinCanTech » Tue Jun 13, 2017 2:43 pm

Just add the route for the VPN to the target hosts directly.

slime-uk
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 12, 2016 11:55 am

Re: Client issue in config - Proper routing rather than NAT/MASQUERADE

Post by slime-uk » Tue Jun 13, 2017 3:20 pm

Ah. Ok. So in windows it seems you can do a route -p -add. I'll look at this but will need my Mum online to do this later.

What do I use as the gateway?

10.11.12.0 is the subnet to add with a 255.255.255.0 mask but what is the gateway. Do I use 10.11.12.1 or .2 or the true Asus address 192.168.50.1 or the true ADSL router address of 192.168.10.254? Too many routers and networks - I'm confused! Or 192.168.10.250?

Thanks!

Post Reply