Problems with return route

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
msu0781
OpenVpn Newbie
Posts: 5
Joined: Thu May 11, 2017 7:22 pm

Problems with return route

Post by msu0781 » Thu May 11, 2017 9:52 pm

I have setup an OpenVPN server to directly access additional machines behind my OpenVPN server from several remote clients. I'd also like the machines behind the OpenVPN server to be able to route back to the remote clients. That is where my problem lies. I am able to reach all my machines behind the OpenVPN server, but cannot reach any client machines from any machine behind the OpenVPN server. Another thing I should mention is I do not want any clients web traffic or anything else going thru the VPN. All web based traffic should go out the clients default gateway. I only want to be able to access the machines and send some data between the machines.


NETWORK TOPOLOGY
Internal LAN 172.30.66.0/24

VPN IP 172.30.66.157
Public IP xxx.xxx.xxx.167
VPN TUN IP 10.8.0.1

Router/Firewall/Gateway 172.30.66.1 ( Separate server from the VPN server)
Public IP xxx.xxx.xxx.161

Server Config
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.30.66.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
explicit-exit-notify 1

Client Config
client
dev tun
proto udp
remote xxx.xxx.xxx.167 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 4

I have added the route 10.8.0.0/24 via 172.30.66.157 on my gateway and enabled ipforwarding on the VPN server.

ROUTING AND FIREWALL INFO
Network and routing info for the gateway/router

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:34
          inet addr:172.30.66.1  Bcast:172.30.66.255  Mask:255.255.255.0
          inet6 addr: fe80::215:17ff:feb8:e034/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60590989 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124713096 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4959044399 (4.6 GiB)  TX bytes:79112208698 (73.6 GiB)
          Interrupt:28 Memory:da020000-da040000

eth1      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:35
          inet addr:xxx.xxx.xxx.62  Bcast:xxx.xxx.xxx.63  Mask:255.255.255.252
          inet6 addr: fe80::215:17ff:feb8:e035/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:143591842 errors:0 dropped:0 overruns:0 frame:0
          TX packets:433909800 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:87043706669 (81.0 GiB)  TX bytes:166155469966 (154.7 GiB)
          Interrupt:36 Memory:da060000-da080000

eth2      Link encap:Ethernet  HWaddr 00:15:17:B8:E0:36
          inet addr:xxx.xxx.xxx.161  Bcast:xxx.xxx.xxx.175  Mask:255.255.255.240
          inet6 addr: fe80::215:17ff:feb8:e036/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:374270778 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2437893 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:158649519904 (147.7 GiB)  TX bytes:552647203 (527.0 MiB)
          Interrupt:36 Memory:da120000-da140000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:688 (688.0 b)  TX bytes:688 (688.0 b)

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
xxx.xxx.xxx.60  0.0.0.0         255.255.255.252 U         0 0          0 eth1
xxx.xxx.xxx.160  0.0.0.0         255.255.255.240 U         0 0          0 eth2
172.30.66.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         xxx.xxx.xxx.61  0.0.0.0         UG        0 0          0 eth1
Network and routing info for the VPN server

Code: Select all

eth2      Link encap:Ethernet  HWaddr A0:36:9F:E2:B3:2E
          inet addr:xxx.xxx.xxx.167  Bcast:xxx.xxx.xxx.175  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64685 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25264 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:13388218 (12.7 MiB)  TX bytes:5637319 (5.3 MiB)

eth3      Link encap:Ethernet  HWaddr A0:36:9F:E2:B3:2F
          inet addr:172.30.66.157  Bcast:172.30.66.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:292466 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23722 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:76736264 (73.1 MiB)  TX bytes:9759162 (9.3 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:29 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2578 (2.5 KiB)  TX bytes:2578 (2.5 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:5432 (5.3 KiB)

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
xxx.xxx.xxx.160  *               255.255.255.240 U     0      0        0 eth2
172.30.66.0     *               255.255.255.0   U     0      0        0 eth3
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
default         Router-Eth0-P 0.0.0.0         UG    0      0        0 eth3
Now I have a feeling my firewall is causing this. I've tried several different configurations both on the VPN and on the Router.

Current IPTABLES on the VPN

Code: Select all

Chain INPUT (policy ACCEPT 50 packets, 13479 bytes)
 pkts bytes target     prot opt in     out     source               destination
   92  8184 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    4   240 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     udp  --  eth3   *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1194
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun+   eth3    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth3   tun+    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 84 packets, 13052 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0
Current IPTABLES on the router/gateway

Code: Select all

Chain INPUT (policy ACCEPT 1607 packets, 117K bytes)
 pkts bytes target     prot opt in     out     source               destination
  289  254K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
   10   688 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth0   *       172.30.66.0/24       0.0.0.0/0           udp dpt:161
    0     0 ACCEPT     tcp  --  eth0   *       172.30.66.0/24       0.0.0.0/0           tcp dpt:161
 221K   13M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10050
 101M   59G ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 6732  431K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  285 12124 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
  973 58340 ACCEPT     tcp  --  *      *       172.30.66.0/24       0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
17337 1158K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67
 1200  394K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10050
    0     0 ACCEPT     esp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500
 235K   57M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0
 5168  226K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02

Chain FORWARD (policy ACCEPT 26053 packets, 1581K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth1   *       172.20.176.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.176.64/28    policy match dir out pol ipsec reqid 2 proto 50
  86M   44G ACCEPT     all  --  eth1   *       172.20.168.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 1 proto 50
  39M 1833M ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.168.64/28    policy match dir out pol ipsec reqid 1 proto 50
    0     0 ACCEPT     all  --  eth1   *       172.20.176.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.176.64/28    policy match dir out pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  eth1   *       172.20.168.64/28     172.30.66.0/24      policy match dir in pol ipsec reqid 1 proto 50
    0     0 ACCEPT     all  --  *      eth1    172.30.66.0/24       172.20.168.64/28    policy match dir out pol ipsec reqid 1 proto 50
  12M 1317M ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0
  14M   22G ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 149K 9702K ACCEPT     all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
 173K  246M ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 313M  128G ACCEPT     all  --  eth2   eth1    0.0.0.0/0            0.0.0.0/0
2039K  458M ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    5   350 ACCEPT     udp  --  eth1   eth2    0.0.0.0/0            xxx.xxx.xxx.167      udp dpt:1195
    0     0 ACCEPT     all  --  eth2   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 
Chain OUTPUT (policy ACCEPT 103K packets, 7158K bytes)
 pkts bytes target     prot opt in     out     source               destination
  46M 5245M ACCEPT     esp  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      eth1    0.0.0.0/0            0.0.0.0/0
   18  2960 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
    0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500
So I am unsure what I need to add to IPTABLES for this work. Any help is greatly appreciated. Thanks.

Post Reply