Access to entire LANs on both ends

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
durwin
OpenVpn Newbie
Posts: 2
Joined: Fri Oct 02, 2015 4:15 pm

Access to entire LANs on both ends

Post by durwin » Thu Nov 09, 2017 5:34 pm

I want to connect to any machine from any machine from either end.
I currently can connect do this *if* I do not run iptables on Home end.
However, I would like to tighten security on my Home by using iptables.
Here is the layout.

Office (172.23.93.0/24)
Router/Firewall
tunnel (10.8.3.0/24)
Router/Firewall
Home (192.168.4.0/24)

Code: Select all

Server Config
port 1196
management localhost 1296
proto udp
dev tun3
ca ca.crt
cert company.crt
key company.key  # This file should be kept secret
dh dh.pem
topology subnet
server 10.8.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.23.93.0 255.255.255.0"
push "dhcp-option DNS 172.23.93.3"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
client-config-dir ccd
route 192.168.4.0 255.255.255.0 10.8.3.1
push "route 192.168.4.0 255.255.255.0"
keepalive 10 60
cipher AES-128-CBC   # AES
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 1
mute-replay-warnings
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
script-security 2
client-connect /usr/local/bin/openvpn-connect.sh
client-disconnect /usr/local/bin/openvpn-disconnect.sh

Code: Select all

Client Config
dev tun1
proto udp
remote 70.88.163.69 1196
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca-client.crt
cert my.crt
key my.key
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
verb 1
auth-user-pass auth.txt

Code: Select all

IPTABLES
#!/bin/bash

LAN_NET_DEVICE=enp1s0
LAN_SUBNET=192.168.4.0
SWCP_WAN=216.184.2.122

VPN_SUBNET=10.8.3.0
VPN_DEVICE=tun1

MSI_LAN=172.23.93.0
MSI_WAN=70.88.163.69

#------
# Initialiaze all the chains by removing all the rules tied to them
#------
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

#------
# Delete user defined chains
#------
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

#------
# Set default policy
#------
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t nat --policy PREROUTING ACCEPT

#------
# Loop back accepts all traffic
#------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# added 171108
iptables -t nat -A POSTROUTING -p all -s $VPN_SUBNET/24 -o $LAN_NET_DEVICE -j MASQUERADE
iptables -A INPUT -i $VPN_DEVICE -j ACCEPT
iptables -A FORWARD -i $VPN_DEVICE -j ACCEPT
iptables -A OUTPUT -o $VPN_DEVICE -j ACCEPT
iptables -A FORWARD -p all -i $VPN_DEVICE -o $LAN_NET_DEVICE -s $VPN_SUBNET/24 -d $LAN_SUBNET/24 -j ACCEPT
iptables -A FORWARD -p all -i $LAN_NET_DEVICE -o $VPN_DEVICE -s $LAN_SUBNET/24 -d $VPN_SUBNET/24 -j ACCEPT
#

#------
# Allow bidirectional traffic to internal network
#------
iptables -A INPUT -p all -s $MSI_LAN/24 -j ACCEPT
iptables -A INPUT -p all -s $LAN_SUBNET/24 -j ACCEPT
iptables -A INPUT -p all -s $MSI_WAN -j ACCEPT

#------
# Allow out bound DNS queries and replies.
#------
iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT

#------
# Allow port 110 POP
#------
iptables -A OUTPUT -m state --state NEW -p tcp --dport 110 -d pop.nmia.com -j ACCEPT

#------
# Allow port 25 SMTP
#------
iptables -A OUTPUT -m state --state NEW -p tcp --dport 25 -d mail.nmia.com -j ACCEPT

#------
# Allow port 80 and 443 (www and https)
#------
iptables -A OUTPUT -m state --state NEW -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 443 --sport 1024:65535 -j ACCEPT

#------
# Allow outbound ICMP echo requests and inbound replies
#------
iptables -A OUTPUT -p icmp --icmp-type echo-request
iptables -A INPUT -p icmp --icmp-type echo-reply

# SMTP
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

# HTTP/HTTPS
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4
iptables -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4
iptables -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: " --log-level 4

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

Code: Select all

ROUTE ON HOME
> ip route show
default via 192.168.4.1 dev enp1s0 proto static metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.8.3.0/24 dev tun1 proto kernel scope link src 10.8.3.2
172.23.93.0/24 via 10.8.3.1 dev tun1
192.168.4.0/24 dev enp1s0 proto kernel scope link src 192.168.4.254 metric 100

Post Reply