i've got openvpn running at a Linux IPfire Firewall. The target is, to connect a roadwarrior to the server, reach all machines inside the LAN and route the internet-traffic of the LAN-Clients and the roadwarrior to a openvpn-client, connected to a public VPN-Provider and running on the same mashine.
Can't get the proper NAT-routing to work.
The firewall has got two NIC's
WAN 192.168.178.2/24 (red0)
LAN 172.16.0.4/24 (green0)
If only the server is up, roadwarrior can connect, can see all mashines in LAN, public ip of roadwarrior is the public ip of the maschine.
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default gateway 0.0.0.0 UG 0 0 0 red0
10.96.211.0 10.96.211.2 255.255.255.0 UG 0 0 0 tun0
10.96.211.2 * 255.255.255.255 UH 0 0 0 tun0
172.16.0.0 * 255.255.255.0 U 0 0 0 green0
192.168.33.0 10.96.211.2 255.255.255.0 UG 0 0 0 tun0
192.168.178.0 * 255.255.255.0 U 0 0 0 red0
gateway * 255.255.255.255 UH 0 0 0 red0
If only the client is up, and i do
Code: Select all
iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -o tun0 -j MASQUERADE
Code: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
default 10.0.199.1 128.0.0.0 UG 0 0 0 tun0
default gateway 0.0.0.0 UG 0 0 0 red0
10.0.199.0 * 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.0.199.1 128.0.0.0 UG 0 0 0 tun0
172.16.0.0 * 255.255.255.0 U 0 0 0 green0
178.162.194.30 gateway 255.255.255.255 UGH 0 0 0 red0
192.168.178.0 * 255.255.255.0 U 0 0 0 red0
gateway * 255.255.255.255 UH 0 0 0 red0
all mashines inside the LAN using the client-tunnel, puplic ip of all LAN mashines is VPN-Provider ip.
Roadwarrior can't connect.
(Server is now tun0, client is tun1)
and
Code: Select all
iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -o tun1 -j MASQUERADE
Code: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
default 10.0.197.1 128.0.0.0 UG 0 0 0 tun1
default gateway 0.0.0.0 UG 0 0 0 red0
10.0.197.0 * 255.255.255.0 U 0 0 0 tun1
10.96.211.0 10.96.211.2 255.255.255.0 UG 0 0 0 tun0
10.96.211.2 * 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.0.197.1 128.0.0.0 UG 0 0 0 tun1
172.16.0.0 * 255.255.255.0 U 0 0 0 green0
178.162.194.30 gateway 255.255.255.255 UGH 0 0 0 red0
192.168.33.0 10.96.211.2 255.255.255.0 UG 0 0 0 tun0
192.168.178.0 * 255.255.255.0 U 0 0 0 red0
gateway * 255.255.255.255 UH 0 0 0 red0
I'm googeling and working on this since a week. Can't get the proper NAT-routing to work.
I'm a progammer not a networker
Any help is verry welcome.
Here some further information:
Server
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local 192.168.178.2
dev tun
proto udp
port 1194
script-security 3 system
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.96.211.0 255.255.255.0
tun-mtu 1500
route 192.168.33.0 255.255.255.0
client-to-client
mtu-disc yes
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
cipher AES-256-CBC
auth SHA512
tls-auth /var/ipfire/ovpn/certs/ta.key
comp-lzo
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
client
proto udp
tun-mtu 1500
fragment 1300
mssfix
cipher AES-256-CBC
ignore-unknown-option ncp-disable # ovpn 2.3 to 2.4 transition
ncp-disable
remote xxxprivacy.com 149
remote xxxprivacy.com 1151
remote xxxperfect-privacy.com 1150
remote xxxperfect-privacy.com 1149
remote xxxperfect-privacy.com 1148
remote xxxperfect-privacy.com 148
remote xxxperfect-privacy.com 151
remote xxxperfect-privacy.com 150
auth SHA512
auth-user-pass /etc/openvpn/password.txt
client
comp-lzo
dev tun
#float
hand-window 120
inactive 604800
mute-replay-warnings
nobind
ns-cert-type server
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
remote-random
reneg-sec 3600
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4
tun-ipv6
down /etc/openvpn/update-resolv-conf
up /etc/openvpn/update-resolv-conf
key-direction 1
<ca>
-----BEGIN CERTIFICATE---
tun-mtu 1500
fragment 1300
mssfix
cipher AES-256-CBC
ignore-unknown-option ncp-disable # ovpn 2.3 to 2.4 transition
ncp-disable
remote xxxprivacy.com 149
remote xxxprivacy.com 1151
remote xxxperfect-privacy.com 1150
remote xxxperfect-privacy.com 1149
remote xxxperfect-privacy.com 1148
remote xxxperfect-privacy.com 148
remote xxxperfect-privacy.com 151
remote xxxperfect-privacy.com 150
auth SHA512
auth-user-pass /etc/openvpn/password.txt
client
comp-lzo
dev tun
#float
hand-window 120
inactive 604800
mute-replay-warnings
nobind
ns-cert-type server
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
remote-random
reneg-sec 3600
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4
tun-ipv6
down /etc/openvpn/update-resolv-conf
up /etc/openvpn/update-resolv-conf
key-direction 1
<ca>
-----BEGIN CERTIFICATE---