Following instructions, I got the 1st part down
YOU MUST COMPLETELY READ THIS ...
& I've read through this article a couple of times, and am pretty sure it's relevant -- but not directly applicable -- to my setup.
Not doing so good on the 2nd part
... TO UNDERSTAND IT.
I've managed to completely confuse myself so far.
I have:
(1) a local LAN with one desktop & one mail-server, behind a firewall/router.
(2) a remote/hosted Server running a firewall & one web-server
My ascii-art depiction of the system is below.
I want to:
(a) Setup the Hosted Server as an OpenVPN server
(b) Ping from server <-> desktop/client over VPN
(b) access the web server @ a privateIP over an OpenVPN link from the Desktop, i.e.,
http://10.2.3.4
(c) 'connect/redirect' the HostedServer's port:25 over a 2nd OpenVPN link to the MailServer's port:25.
so mail sent TO 1.2.3.4:25 gets TO the MailServer on the LAN, &
mail sent FROM the MailServer on the LAN appears to originate from the HostedServer @ 1.2.3.4:25
I'm pretty certain I've badly screwed up some combination of routing and firewall rules
I'm hoping to get some guidance as to how to fix what I've done to get it all working.
Here's more info --
ASCII art:
Code: Select all
Hosted Server:
|---------------------------|
| Server (Linux): |
| eth0 = 1.2.3.4/24 -|---> (Internet)
| | |
| Apache -- (listen) |
| | |
| tap0 = 10.2.3.4/24 |
|---------------------------|
Office LAN:
|-----------------------------------|
| Router/Firewall (FreeBSD): |
| tun0 (pppoe/dsl)= 5.6.7.201/29 -|---> (Internet)
| | |
| pf firewall |
| | |
| sis0: 10.30.8.1/24 -------| |
|-----------------------------------|
|
|---------------------------------------|
| |
|--------------------------------| |--------------------------------|
| Desktop (Linux): | | | MailServer (Linux): | |
| eth0 = 10.30.8.101/24 --| | | eth0 = 10.30.8.110/24 --| |
| eth0:1 = 10.101.0.101/24 | | eth0:1 = 10.110.0.110/24 |
|--------------------------------| |--------------------------------|
The pre-OpenVPN routing tables are:
@ HostedServer:
Code: Select all
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth0
@ OfficeLAN's Router/Firewall:
Code: Select all
netstat -nr
Kernel IP routing table
Destination Gateway Flags Refs Use Netif Expire
default 152.166.181.133 UGS 0 1797052 tun0
5.6.7.201 152.166.181.133 UGS 0 0 tun0
5.6.7.202 152.166.181.133 UGS 0 0 tun0
5.6.7.203 152.166.181.133 UGS 0 0 tun0
5.6.7.204 152.166.181.133 UGS 0 0 tun0
5.6.7.205 152.166.181.133 UGS 0 0 tun0
127.0.0.1 127.0.0.1 UH 0 1094 lo0
152.166.181.133 5.6.7.206 UH 6 0 tun0
10.30.8/24 link#1 UC 0 0 sis0
10.30.8.1 00:00:24:c8:34:77 UHLW 1 716 lo0
As a first step, I've installed OpenVPN server on the HostedServer & the Desktop.
The configs are:
Code: Select all
/etc/openvpn/tls-server.conf
-------------------------------------------------
local 1.2.3.4
dev tun1
proto udp
port 12345
mode server
daemon
server 10.10.10.0 255.255.255.0
topology subnet
push "route 10.2.3.0 255.255.255.0 10.10.10.1"
client-to-client
management 127.0.0.1 1195
tls-server
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.openvpn.dc.loc.crt
key /etc/openvpn/server.openvpn.dc.loc.key
tls-auth /etc/openvpn/shared.ta.key 1
auth RSA-SHA512
cipher AES-256-CBC
keepalive 15 45
comp-lzo
ping-timer-rem
persist-tun
persist-key
max-clients 10
client-config-dir ccd
script-security 2 system
verb 5
status /etc/openvpn/openvpn-status.log
ifconfig-pool-persist /etc/openvpn/ipp.txt
-------------------------------------------------
Code: Select all
/etc/openvpn/ccd/desktop.client.openvpn.dc.loc
-------------------------------------------------
ifconfig-push 10.10.10.2 255.255.255.0
iroute 10.101.0.0 255.255.255.0
-------------------------------------------------
Code: Select all
/etc/openvpn/tls-desktop.client.conf
-------------------------------------------------
dev tun
proto udp
port 12345
mode p2p
remote 1.2.3.4 12345 udp
topology subnet
pull
remote-cert-tls server
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/desktop.client.openvpn.dc.loc.crt
key /etc/openvpn/desktop.client.openvpn.dc.loc.key
tls-auth /etc/openvpn/shared.ta.key 0
auth RSA-SHA512
cipher AES-256-CBC
comp-lzo
persist-tun
persist-key
script-security 2 system
verb 5
status /etc/openvpn/openvpn-status.log
-------------------------------------------------
with this config, I can bring up the openvpn connection, see the interfaces, and
ping from server to the desktop's VPN endpoint.
i can NOT ping from the desktop to the server's VPN endpoint, or beyond it to the webserver.
@ HostedServer
Code: Select all
ifconfig tun1
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.1 P-t-P:10.10.10.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
netstat -rn | egrep -i "tun|tap"
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
10.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
ping -c 1 10.10.10.2
PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
64 bytes from 10.10.10.2: icmp_req=1 ttl=64 time=17.9 ms
ping -c 1 10.2.3.4
PING 10.2.3.4 (10.2.3.4) 56(84) bytes of data.
64 bytes from 10.2.3.4: icmp_req=1 ttl=64 time=0.050 ms
@ Desktop
Code: Select all
ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.2 P-t-P:10.10.10.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
netstat -rn | grep -i tun
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.2.3.0 10.10.10.1 255.255.255.0 UG 0 0 0 tun0
ping -c 1 10.101.0.101
PING 10.101.0.101 (10.101.0.101) 56(84) bytes of data.
64 bytes from 10.101.0.101: icmp_req=1 ttl=64 time=0.041 ms
ping -c 1 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
(just sits)