Code: Select all
push redirect-gateway def1
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
What I cant understand is why it works fine with NAT on the VPN server, but doesn't work without it. The router has routes to forward returned traffic back to the 172.27.5.0/24 via 172.27.2.2 and that works as the other subnets on the router are returned fine. I would have expected the VPN server to forward the traffic to the router for routing as normal, it would NAT It and send it to the internet as normal and return the traffic back to the VPN server like normal to be encrypted and transmitted back to the client, but it seems there is something funky happening in the VPN server itself. can anyone shed any light as to why it _has_ to have masquerading?
Server is ubuntu linux, currently not running any iptables/ufw to get the existing networking going, everything is handled by the router.
Server Config
local 172.27.2.2
port 10000
proto udp
dev tun
ca ca.crt
cert vpn.crt
key vpn.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 172.27.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.20.0.0 255.255.255.0"
push "route 172.20.1.0 255.255.255.0"
push "route 172.20.2.0 255.255.255.0"
push "route 172.27.2.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
push "dhcp-option DNS 172.20.0.5"
push "dhcp-option DNS 172.20.0.6"
push "dhcp-option DOMAIN xx.com"
keepalive 10 120
cipher AES-128-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-fullaccess-status.log
log-append openvpn-fullaccess.log
verb 4
explicit-exit-notify 1
client-cert-not-required
username-as-common-name
Code: Select all
┌───────────────────┐
(INTERNET) │ L3 Router │
Public IP │ │
│ │
│ │
└────────┬──────────┘ ┌─────────────────┐
│ │ LAN │
│ │ 172.20.0.0/24 │
├──────────────────────────────┤ SVI .1 │
┌───────────────┐ │ └─────────────────┘
│ VPN Client │ │
│ 172.27.5.5/24 │ │
│ │ │
└───────────────┘ │
│ ┌─────────────────┐
│ │ LAN │
├──────────────────────────────┤ 172.20.1.0/24 │
│ │ SVI .1 │
│ └─────────────────┘
│
│
│ ┌─────────────────┐ ┌─────────────────┐
│ │ DMZ │ │ VPN Server │
├──────────────────────────────┤ 172.27.2.0/26 ├──────┤ 172.27.2.2/24 │
│ │ SVI .1 │ │ DG: 172.27.2.1 │
│ └─────────────────┘ └───────────┬─────┘
│ │
│ │
│ ┌─────────────────┐ ┌─┴────────────────┐
│ │ DMZ │ │ VPN tunnel Subnet│
└──────────────────────────────┤ 172.27.2.64/26 │ │ 172.27.5.0/24 │
│ SVI .1 │ │ TUN .1 │
└─────────────────┘ └──────────────────┘