Cannot interact remotely after Connection with OpenVPN

[WhatTheIanni]

Hello everybody.!!!

I am not that much skilled on linux and openvpn. I have a headless ubuntu minimal installation and I achieved connection to a vpn service via openVPN (as a matter of fact, it was the easiest way comparing to other vpn protocols).

The problem is that even though after the connection I have internet access via the vpn server, I cannot remotely communicate with my linux machine using the dyndns ip I've been using, not even the provider's ip.

I need to access to shell as well as an rsync service i have on that machine but I cannot even ping it.

Do I need ip forwarding? or to change / disable iptables?

Thank you so much in advance

Greetings from sunny greece

[Mimiko]

Yes, you have to enable forwarding and adjust iptable's rules.

[WhatTheIanni]

I guess the command for the IP forwarding is:

echo 1 > /proc/sys/net/ipv4/ip_forward

...

But how do I adjust the iptables rules???

UPDATE: I just noticed that iptables is not installed

[maikcat]

hi all,

after talking to my fellow greek let me clarify his problem..

he has an ubuntu with openvpn client at his home connecting to vyprvpn service
which upon connection it redirects all traffic inside vpn.

he wants to access this server via ssh from another location using
port forward to his router at home.

the problem is that the redirection that openvpn provider does returns
his packets concerning ssh through vpn...

is there any way (using iptables maybe) to make his scenario work?

Michael.

[maikcat]

just a thought...

how about using ip alias on ubuntu and multiple default gateways...

http://kindlund.wordpress.com/2007/11/1 ... -in-linux/

basically forwarding ports to the alias interface and configure routing based on
traffic that destined to eth0:0..


any ideas?

Michael.

[Mimiko]

Oh, now it is clear. The responce packets are return by default route if the source address does not lay on the same IP mask as eth0. First fouthg is using iptables tagging and using rerouting by the source of the packet. I don't know exactly the write writting of the rule, but it must look something like this:
route 1, tagging packets:

Code: Select all

iptables -i eth0 --dport [all the ports of the local services] --tag [tagname]

route 2, rerouting by tagname:

Code: Select all

iptables --tag [tagname] --destination-gateway x.x.x.x[gw of eth0]

But I don't know if services will respond with packets with the same tagname. So I think about another resolution: SNATing the internet on the INPUT (or MANGLE) table:

Code: Select all

iptables -i eth0 --dport [all the ports of the local services] --SNAT [ip of eth0]

So the service will respond to the IP of the eth0 and not transmit to tun-adapter. Using in rules only the ports of local services is benefit by limiting the purpose and adding security if someone will probe a non use port and something is responding, it will respond thru tunnel, so the attacker will never get responce.

[WhatTheIanni]

Great! I'll try that and tell you how it works for me! Thank you )

[WhatTheIanni]

Unfortunately it doesn't recognize the dport argument... nor "dports"

john@XBMCLive:~$ iptables -i wlan0 --dport 9091 --SNAT 192.168.1.70
iptables v1.4.4: unknown option `--dport'

[Mimiko]

Please find your self the correct option names of iptables. I dont have a working linux to do a test. A simple search on net gave me "--destination-port" option. Please try it. Hope you got the idea about the needed rules.

[maikcat]

also take a look here...

http://www.sparksupport.com/blog/applic ... g-in-linux

[Mimiko]

maikcat, a good example of marking the packets from some application.

Just remembered. Using just one rule to redirect the packets from application: Made on OUTPUT table (or mangle) add a rule to redirect packets with teh specified source port:

Code: Select all

iptable -A OUTPUT --source-port [opened ports] --gw [desired gateway]