I had a working setup as follows:
LAN: 192.168.1.0
OpenVPN Server: 192.168.1.18
VPN Subnet: 10.8.0.0
Port 1194 open from Internet, forwarded to OpenVPN Server.
All was working, I could access hosts on LAN subnet when connecting over VPN from Internet. It was just one problem. I had several VPN's and the VPN subnet (10.8.0.0) could have a potential collision when connecting to multiple. So I decided to change the VPN subnet to 10.8.101.0.
I updated iptables with the new IP in the forward rule between VPN and LAN subnets.
I can connect and access the OpenVPN server without any issues. But I still cannot access any hosts on LAN.
Code: Select all
#iptables -L (partial output)
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 10.8.101.0/24 ctstate RELATED,ESTABLISHED /* openvpn-forward-rule */
ACCEPT all -- 10.8.101.0/24 anywhere /* openvpn-forward-rule */
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
What more do I need to change to access here. Note thet it was working before, only change was the VPN subnet.
EDIT: Forgot to mention, I also changed the push route in server-configuration.
A tracerout from client to a LAN ip finds its way to the VPN Server, but not to LAN.
EDIT again:
ping 192.168.1.18 (OpenVPN Server LAN IP) from VPN Client = Success
ping 192.168.1.2 (host on LAN) = Fail
Code: Select all
tracert 192.168.1.2
Tracing route to 192.168.1.2 over a maximum of 30 hops
1 304 ms 40 ms 37 ms 10.8.101.1
2 * * * Request timed out.
3 * ^C
Code: Select all
tracert 192.168.1.18
Tracing route to 192.168.1.18 over a maximum of 30 hops
1 295 ms 24 ms 27 ms 192.168.1.18
net.ipv4.ip_forward = 1
The client route-table seems to be fine:
Code: Select all
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.55.1 192.168.55.155 25
10.8.101.0 255.255.255.0 On-link 10.8.101.2 281
10.8.101.2 255.255.255.255 On-link 10.8.101.2 281
10.8.101.255 255.255.255.255 On-link 10.8.101.2 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 10.8.101.1 10.8.101.2 281
192.168.55.0 255.255.255.0 On-link 192.168.55.155 281
192.168.55.155 255.255.255.255 On-link 192.168.55.155 281
192.168.55.255 255.255.255.255 On-link 192.168.55.155 281
192.168.121.0 255.255.255.0 On-link 192.168.121.1 291
192.168.121.1 255.255.255.255 On-link 192.168.121.1 291
192.168.121.255 255.255.255.255 On-link 192.168.121.1 291
192.168.186.0 255.255.255.0 On-link 192.168.186.1 291
192.168.186.1 255.255.255.255 On-link 192.168.186.1 291
192.168.186.255 255.255.255.255 On-link 192.168.186.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.186.1 291
224.0.0.0 240.0.0.0 On-link 192.168.121.1 291
224.0.0.0 240.0.0.0 On-link 10.8.101.2 281
224.0.0.0 240.0.0.0 On-link 192.168.55.155 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.186.1 291
255.255.255.255 255.255.255.255 On-link 192.168.121.1 291
255.255.255.255 255.255.255.255 On-link 10.8.101.2 281
255.255.255.255 255.255.255.255 On-link 192.168.55.155 281
===========================================================================
Code: Select all
pi@raspberrypi:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.18 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::5a13:1188:fe7e:4542 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:98:f7:67 txqueuelen 1000 (Ethernet)
RX packets 45234 bytes 3704375 (3.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18098 bytes 2370883 (2.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.101.1 netmask 255.255.255.0 destination 10.8.101.1
inet6 fe80::53e6:d905:caec:f46d prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 1748 bytes 126554 (123.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1204 bytes 472084 (461.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Code: Select all
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:openvpn /* openvpn-input-rule */
2 ufw-before-logging-input all -- anywhere anywhere
3 ufw-before-input all -- anywhere anywhere
4 ufw-after-input all -- anywhere anywhere
5 ufw-after-logging-input all -- anywhere anywhere
6 ufw-reject-input all -- anywhere anywhere
7 ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere 10.8.101.0/24 ctstate RELATED,ESTABLISHED /* openvpn-forward-rule */
2 ACCEPT all -- 10.8.101.0/24 anywhere /* openvpn-forward-rule */
3 ufw-before-logging-forward all -- anywhere anywhere
4 ufw-before-forward all -- anywhere anywhere
5 ufw-after-forward all -- anywhere anywhere
6 ufw-after-logging-forward all -- anywhere anywhere
7 ufw-reject-forward all -- anywhere anywhere
8 ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ufw-before-logging-output all -- anywhere anywhere
2 ufw-before-output all -- anywhere anywhere
3 ufw-after-output all -- anywhere anywhere
4 ufw-after-logging-output all -- anywhere anywhere
5 ufw-reject-output all -- anywhere anywhere
6 ufw-track-output all -- anywhere anywhere
Chain ufw-before-logging-input (1 references)
num target prot opt source destination
Chain ufw-before-logging-output (1 references)
num target prot opt source destination
Chain ufw-before-logging-forward (1 references)
num target prot opt source destination
Chain ufw-before-input (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ufw-logging-deny all -- anywhere anywhere ctstate INVALID
4 DROP all -- anywhere anywhere ctstate INVALID
5 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
6 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
7 ACCEPT icmp -- anywhere anywhere icmp parameter-problem
8 ACCEPT icmp -- anywhere anywhere icmp echo-request
9 ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
10 ufw-not-local all -- anywhere anywhere
11 ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
12 ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
13 ufw-user-input all -- anywhere anywhere
Chain ufw-before-output (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ufw-user-output all -- anywhere anywhere
Chain ufw-before-forward (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
3 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
4 ACCEPT icmp -- anywhere anywhere icmp parameter-problem
5 ACCEPT icmp -- anywhere anywhere icmp echo-request
6 ufw-user-forward all -- anywhere anywhere
Chain ufw-after-input (1 references)
num target prot opt source destination
1 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
2 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
3 ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
4 ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
5 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
6 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
7 ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-output (1 references)
num target prot opt source destination
Chain ufw-after-forward (1 references)
num target prot opt source destination
Chain ufw-after-logging-input (1 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
num target prot opt source destination
Chain ufw-after-logging-forward (1 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-reject-input (1 references)
num target prot opt source destination
Chain ufw-reject-output (1 references)
num target prot opt source destination
Chain ufw-reject-forward (1 references)
num target prot opt source destination
Chain ufw-track-input (1 references)
num target prot opt source destination
Chain ufw-track-output (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere ctstate NEW
2 ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-forward (1 references)
num target prot opt source destination
Chain ufw-logging-deny (2 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
2 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-logging-allow (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-skip-to-policy-input (7 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-forward (0 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
Chain ufw-not-local (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
2 RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
3 RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
4 ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
5 DROP all -- anywhere anywhere
Chain ufw-user-input (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
2 ACCEPT udp -- anywhere anywhere udp dpt:openvpn
Chain ufw-user-output (1 references)
num target prot opt source destination
Chain ufw-user-forward (1 references)
num target prot opt source destination
Chain ufw-user-logging-input (0 references)
num target prot opt source destination
Chain ufw-user-logging-output (0 references)
num target prot opt source destination
Chain ufw-user-logging-forward (0 references)
num target prot opt source destination
Chain ufw-user-limit (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
2 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere