NETWORK TOPOLOGY
Internal LAN 172.30.66.0/24
VPN IP 172.30.66.157
Public IP xxx.xxx.xxx.167
VPN TUN IP 10.8.0.1
Router/Firewall/Gateway 172.30.66.1 ( Separate server from the VPN server)
Public IP xxx.xxx.xxx.161
Server Config
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.30.66.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
explicit-exit-notify 1
Client Config
client
dev tun
proto udp
remote xxx.xxx.xxx.167 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 4
I have added the route 10.8.0.0/24 via 172.30.66.157 on my gateway and enabled ipforwarding on the VPN server.
ROUTING AND FIREWALL INFO
Network and routing info for the gateway/router
Code: Select all
eth0 Link encap:Ethernet HWaddr 00:15:17:B8:E0:34
inet addr:172.30.66.1 Bcast:172.30.66.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:feb8:e034/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60590989 errors:0 dropped:0 overruns:0 frame:0
TX packets:124713096 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4959044399 (4.6 GiB) TX bytes:79112208698 (73.6 GiB)
Interrupt:28 Memory:da020000-da040000
eth1 Link encap:Ethernet HWaddr 00:15:17:B8:E0:35
inet addr:xxx.xxx.xxx.62 Bcast:xxx.xxx.xxx.63 Mask:255.255.255.252
inet6 addr: fe80::215:17ff:feb8:e035/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:143591842 errors:0 dropped:0 overruns:0 frame:0
TX packets:433909800 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:87043706669 (81.0 GiB) TX bytes:166155469966 (154.7 GiB)
Interrupt:36 Memory:da060000-da080000
eth2 Link encap:Ethernet HWaddr 00:15:17:B8:E0:36
inet addr:xxx.xxx.xxx.161 Bcast:xxx.xxx.xxx.175 Mask:255.255.255.240
inet6 addr: fe80::215:17ff:feb8:e036/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:374270778 errors:0 dropped:0 overruns:0 frame:0
TX packets:2437893 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:158649519904 (147.7 GiB) TX bytes:552647203 (527.0 MiB)
Interrupt:36 Memory:da120000-da140000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:688 (688.0 b) TX bytes:688 (688.0 b)
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
xxx.xxx.xxx.60 0.0.0.0 255.255.255.252 U 0 0 0 eth1
xxx.xxx.xxx.160 0.0.0.0 255.255.255.240 U 0 0 0 eth2
172.30.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 xxx.xxx.xxx.61 0.0.0.0 UG 0 0 0 eth1
Code: Select all
eth2 Link encap:Ethernet HWaddr A0:36:9F:E2:B3:2E
inet addr:xxx.xxx.xxx.167 Bcast:xxx.xxx.xxx.175 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64685 errors:0 dropped:0 overruns:0 frame:0
TX packets:25264 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13388218 (12.7 MiB) TX bytes:5637319 (5.3 MiB)
eth3 Link encap:Ethernet HWaddr A0:36:9F:E2:B3:2F
inet addr:172.30.66.157 Bcast:172.30.66.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:292466 errors:0 dropped:0 overruns:0 frame:0
TX packets:23722 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:76736264 (73.1 MiB) TX bytes:9759162 (9.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:29 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2578 (2.5 KiB) TX bytes:2578 (2.5 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:5432 (5.3 KiB)
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
xxx.xxx.xxx.160 * 255.255.255.240 U 0 0 0 eth2
172.30.66.0 * 255.255.255.0 U 0 0 0 eth3
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
default Router-Eth0-P 0.0.0.0 UG 0 0 0 eth3
Current IPTABLES on the VPN
Code: Select all
Chain INPUT (policy ACCEPT 50 packets, 13479 bytes)
pkts bytes target prot opt in out source destination
92 8184 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- eth3 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ eth3 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth3 tun+ 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 84 packets, 13052 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
Code: Select all
Chain INPUT (policy ACCEPT 1607 packets, 117K bytes)
pkts bytes target prot opt in out source destination
289 254K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
10 688 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 172.30.66.0/24 0.0.0.0/0 udp dpt:161
0 0 ACCEPT tcp -- eth0 * 172.30.66.0/24 0.0.0.0/0 tcp dpt:161
221K 13M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10050
101M 59G ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6732 431K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
285 12124 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
973 58340 ACCEPT tcp -- * * 172.30.66.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
17337 1158K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
1200 394K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10050
0 0 ACCEPT esp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
235K 57M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
5168 226K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
Chain FORWARD (policy ACCEPT 26053 packets, 1581K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 * 172.20.176.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.176.64/28 policy match dir out pol ipsec reqid 2 proto 50
86M 44G ACCEPT all -- eth1 * 172.20.168.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 1 proto 50
39M 1833M ACCEPT all -- * eth1 172.30.66.0/24 172.20.168.64/28 policy match dir out pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- eth1 * 172.20.176.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.176.64/28 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth1 * 172.20.168.64/28 172.30.66.0/24 policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- * eth1 172.30.66.0/24 172.20.168.64/28 policy match dir out pol ipsec reqid 1 proto 50
12M 1317M ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
14M 22G ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
149K 9702K ACCEPT all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
173K 246M ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
313M 128G ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0
2039K 458M ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 350 ACCEPT udp -- eth1 eth2 0.0.0.0/0 xxx.xxx.xxx.167 udp dpt:1195
0 0 ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 103K packets, 7158K bytes)
pkts bytes target prot opt in out source destination
46M 5245M ACCEPT esp -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * eth1 0.0.0.0/0 0.0.0.0/0
18 2960 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500