Client issue in config - Proper routing rather than NAT/MASQUERADE
Posted: Mon Dec 12, 2016 12:28 pm
Hi,
I've been trying to get OpenVPN setup for months and finally have it working! Except I had to resort to a NAT rule on the client rather than what I consider proper routing. Can somebody assist me that knows more about this than me?
So - I have on my home network (UK) an OpenVPN server running on a Raspberry Pi 3. On my client network which will eventually be a holiday home (in Cyprus), I have an ISP provided router (which I really can't change and not even sure we can configure it) which I will then plug in a DD-WRT router running OpenVPN client.
To simulate this I currently have the Raspberry Pi on my home network and another network setup for me to test. This is currently simulated as a USB 4/3G connection on a router with the said Belkin DD-WRT router plugged into it. It's working through the 4/3G to my home network but I've had to enable NAT on the Belkin OpenVPN config (iptables).
Here's a diagram of what I'm trying to achieve:
This is so my parents (in Cyprus) can leave everything as is, but simply connect another (the new DD-WRT) router from the WAN port into current ISP router LAN port. Then they can simply use VPN by connecting to a new Wi-Fi network. Everything else will be as it was. One main reason for this is they want to use Amazon Fire Stick for TV and I really tried to get OpenVPN for Android on it but it just wan't working - so dual router setup should be better and easier.
So, this is all working as I want - send everything (including DNS) down the OpenVPN tunnel. I just would like to understand exactly what routing info I'm missing. Or how do I configure the client side network routers to overcome this NAT issue (double NAT I guess??)?
I have opened 1194 UDP port into my home network. The pi is configured to forward IPv4. The iptables on the Pi is:
The home router also has a static route to the VPN network 10.8.0.0/22 via the Raspberry Pi address (192.168.16.16/22).
I have on the (simulated) holiday home main router added a static route to 192.168.20.0/24 via the static LAN address (192.168.10.50) or WAN address on the DD-WRT router. I have also added a rule on the DD-WRT 2nd router to allow it to forward requests to 192.168.10.0/24.
So, here's the IPTABLES on the Belkin DD-WRT which I don't feel is what I really want!
If I comment this last line out the VPN connects but I have no route from behind the other router - nothing works. If I add the last line in (as shown) everything works. So when connected to the VPN, browsing shows my home IP and no DNS leak. Traceroutes all look good as I'd expect. I can connect to the first router as everything is as it should be (no VPN).
Can someone explain it to me and help me understand why I need the MASQUERADE? Is there any way around it with dual router client setup?
Thanks so much.
Regards,
Si.
I've been trying to get OpenVPN setup for months and finally have it working! Except I had to resort to a NAT rule on the client rather than what I consider proper routing. Can somebody assist me that knows more about this than me?
So - I have on my home network (UK) an OpenVPN server running on a Raspberry Pi 3. On my client network which will eventually be a holiday home (in Cyprus), I have an ISP provided router (which I really can't change and not even sure we can configure it) which I will then plug in a DD-WRT router running OpenVPN client.
To simulate this I currently have the Raspberry Pi on my home network and another network setup for me to test. This is currently simulated as a USB 4/3G connection on a router with the said Belkin DD-WRT router plugged into it. It's working through the 4/3G to my home network but I've had to enable NAT on the Belkin OpenVPN config (iptables).
Here's a diagram of what I'm trying to achieve:
This is so my parents (in Cyprus) can leave everything as is, but simply connect another (the new DD-WRT) router from the WAN port into current ISP router LAN port. Then they can simply use VPN by connecting to a new Wi-Fi network. Everything else will be as it was. One main reason for this is they want to use Amazon Fire Stick for TV and I really tried to get OpenVPN for Android on it but it just wan't working - so dual router setup should be better and easier.
So, this is all working as I want - send everything (including DNS) down the OpenVPN tunnel. I just would like to understand exactly what routing info I'm missing. Or how do I configure the client side network routers to overcome this NAT issue (double NAT I guess??)?
I have opened 1194 UDP port into my home network. The pi is configured to forward IPv4. The iptables on the Pi is:
Code: Select all
# Dec 2016 - using this as it also allows internet access and local LAN
iptables -I FORWARD -i tun0 -o eth0 \
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
I have on the (simulated) holiday home main router added a static route to 192.168.20.0/24 via the static LAN address (192.168.10.50) or WAN address on the DD-WRT router. I have also added a rule on the DD-WRT 2nd router to allow it to forward requests to 192.168.10.0/24.
So, here's the IPTABLES on the Belkin DD-WRT which I don't feel is what I really want!
Code: Select all
iptables -I FORWARD -s 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
#This is the line I need for it to work but how to do it without this?
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Can someone explain it to me and help me understand why I need the MASQUERADE? Is there any way around it with dual router client setup?
Thanks so much.
Regards,
Si.