Server/client same machine real nat-routing

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
ostfriese2
OpenVpn Newbie
Posts: 1
Joined: Sat Sep 16, 2017 2:33 pm

Server/client same machine real nat-routing

Post by ostfriese2 » Sat Sep 16, 2017 3:51 pm

Hello,

i've got openvpn running at a Linux IPfire Firewall. The target is, to connect a roadwarrior to the server, reach all machines inside the LAN and route the internet-traffic of the LAN-Clients and the roadwarrior to a openvpn-client, connected to a public VPN-Provider and running on the same mashine.
Can't get the proper NAT-routing to work.

The firewall has got two NIC's
WAN 192.168.178.2/24 (red0)
LAN 172.16.0.4/24 (green0)


If only the server is up, roadwarrior can connect, can see all mashines in LAN, public ip of roadwarrior is the public ip of the maschine.

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         gateway         0.0.0.0         UG        0 0          0 red0
10.96.211.0     10.96.211.2     255.255.255.0   UG        0 0          0 tun0
10.96.211.2     *               255.255.255.255 UH        0 0          0 tun0
172.16.0.0      *               255.255.255.0   U         0 0          0 green0
192.168.33.0    10.96.211.2     255.255.255.0   UG        0 0          0 tun0
192.168.178.0   *               255.255.255.0   U         0 0          0 red0
gateway         *               255.255.255.255 UH        0 0          0 red0

If only the client is up, and i do

Code: Select all

iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -o tun0 -j MASQUERADE
all mashines inside the LAN using the client-tunnel, puplic ip of all lann mashines is VPN-Provider ip.

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.199.1      128.0.0.0       UG        0 0          0 tun0
default         gateway         0.0.0.0         UG        0 0          0 red0
10.0.199.0      *               255.255.255.0   U         0 0          0 tun0
128.0.0.0       10.0.199.1      128.0.0.0       UG        0 0          0 tun0
172.16.0.0      *               255.255.255.0   U         0 0          0 green0
178.162.194.30  gateway         255.255.255.255 UGH       0 0          0 red0
192.168.178.0   *               255.255.255.0   U         0 0          0 red0
gateway         *               255.255.255.255 UH        0 0          0 red0
If server and client is up:

all mashines inside the LAN using the client-tunnel, puplic ip of all LAN mashines is VPN-Provider ip.
Roadwarrior can't connect.
(Server is now tun0, client is tun1)
and

Code: Select all

iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -o tun1 -j MASQUERADE

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.197.1      128.0.0.0       UG        0 0          0 tun1
default         gateway         0.0.0.0         UG        0 0          0 red0
10.0.197.0      *               255.255.255.0   U         0 0          0 tun1
10.96.211.0     10.96.211.2     255.255.255.0   UG        0 0          0 tun0
10.96.211.2     *               255.255.255.255 UH        0 0          0 tun0
128.0.0.0       10.0.197.1      128.0.0.0       UG        0 0          0 tun1
172.16.0.0      *               255.255.255.0   U         0 0          0 green0
178.162.194.30  gateway         255.255.255.255 UGH       0 0          0 red0
192.168.33.0    10.96.211.2     255.255.255.0   UG        0 0          0 tun0
192.168.178.0   *               255.255.255.0   U         0 0          0 red0
gateway         *               255.255.255.255 UH        0 0          0 red0
The only thing that's logical to me, that Roadwarrior can't get an answer, because all the trafic goes throug tun1 .
I'm googeling and working on this since a week. Can't get the proper NAT-routing to work.
I'm a progammer not a networker :-(
Any help is verry welcome.


Here some further information:

Server

#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local 192.168.178.2
dev tun
proto udp
port 1194
script-security 3 system
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.96.211.0 255.255.255.0
tun-mtu 1500
route 192.168.33.0 255.255.255.0
client-to-client
mtu-disc yes
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
cipher AES-256-CBC
auth SHA512
tls-auth /var/ipfire/ovpn/certs/ta.key
comp-lzo
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3



client
proto udp
tun-mtu 1500
fragment 1300
mssfix
cipher AES-256-CBC
ignore-unknown-option ncp-disable # ovpn 2.3 to 2.4 transition
ncp-disable

remote xxxprivacy.com 149
remote xxxprivacy.com 1151
remote xxxperfect-privacy.com 1150
remote xxxperfect-privacy.com 1149
remote xxxperfect-privacy.com 1148
remote xxxperfect-privacy.com 148
remote xxxperfect-privacy.com 151
remote xxxperfect-privacy.com 150

auth SHA512
auth-user-pass /etc/openvpn/password.txt
client
comp-lzo
dev tun
#float
hand-window 120
inactive 604800
mute-replay-warnings
nobind
ns-cert-type server
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
remote-random
reneg-sec 3600
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4
tun-ipv6

down /etc/openvpn/update-resolv-conf
up /etc/openvpn/update-resolv-conf

key-direction 1
<ca>
-----BEGIN CERTIFICATE---

Post Reply