howto share vpn connection (Linux + OpenVPN)?

flan · Post by **flan** » Tue May 10, 2011 10:47 am

hello all,

I am trying to share vpn connection between my network without any luck.

I do have an office with Several PC's and we share the internet connection using iptables and our DNS server we also have Mail and FTP Server. Our ISP keep changing there rules and they start blocking some port like 25, 21 and 143. so the best solution i could think of is to use vpn service with a static ip address to use instead of my ISP ip address.

I do need all my computer in my local network to be using the VPN ip address and not my ISP ip address.

my network infrastructure is like this

dsl modem

Code: Select all

10.0.0.1  255.255.255.192

Main DNS server with 2 NIC's: /etc/network/interfaces

Code: Select all

auto lo eth0 eth1
iface lo inet loopback

#internet 
iface eth0 inet static
    address 10.0.0.2
    netmask 255.255.255.192
    gateway 10.0.0.1        
#local
iface eth1 inet static
    address 10.0.1.1
    netmask 255.255.255.240

/etc/resolv.conf

Code: Select all

nameserver 127.0.0.1

/etc/bind/options.conf

Code: Select all

options {
    directory "/var/cache/bind";
    forwarders {208.67.222.222; 208.67.220.220;};
    auth-nxdomain no;
    allow-query { any; };
    recursion no;    
    version "0";        
    listen-on-v6 { any; };
};

My iptables

Code: Select all

EXTIF="eth0"
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" #whick is 10.0.0.2
INTIF="eth1" # Enter the designation for the Internal Interface's
INTNET="10.0.1.0/28" # Enter the NETWORK address the Internal Interface is on
INTIP="10.0.1.1" # Enter the IP address of the Internal Interface
UNIVERSE="0.0.0.0/0"

    /sbin/depmod -a
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_nat_irc

    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr

    iptables -P INPUT DROP
    iptables -F INPUT 
    iptables -P OUTPUT DROP
    iptables -F OUTPUT 
    iptables -P FORWARD DROP
    iptables -F FORWARD 
    iptables -F -t nat

    if [ "`iptables -L | grep drop-and-log-it`" ]; then
       iptables -F drop-and-log-it
    fi
    iptables -X
    iptables -Z
    iptables -N drop-and-log-it
    iptables -A drop-and-log-it -j LOG --log-level info 
    iptables -A drop-and-log-it -j REJECT

    iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
    iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
    iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
    iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

    iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
    iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
    iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
    iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
    iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


    Cloud=10.0.1.4
    Port=8080
    iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

    iptables -A FORWARD -i $EXTIF -o $INTIF -d $Cloud -p tcp --dport $Port -j ACCEPT
    iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport $Port -j DNAT --to $Cloud

    iptables -A FORWARD -j drop-and-log-it
    iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

With those setting i was able to share my internet connection (without vpn). However, when i try to connect to vpn server using openvpn it seem i am connect to the vpn server but i dont have any internet connectivity even on the dns server.

here route -n output before the VPN established and after.

before

Code: Select all

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.1.0        0.0.0.0         255.255.255.240 U     0      0        0 eth1
10.0.0.0        0.0.0.0         255.255.255.192 U     0      0        0 eth0
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0

after

Code: Select all

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
174.37.222.38   10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
10.0.1.0        0.0.0.0         255.255.255.240 U     0      0        0 eth1
10.0.0.0        0.0.0.0         255.255.255.192 U     0      0        0 eth0
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 tun0
0.0.0.0         10.10.11.1      128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.10.11.1      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.0.0.1        0.0.0.0         UG    1      0        0 eth0

Mail server /etc/network/interfaces

Code: Select all

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
    iface eth0 inet static
        address 10.0.1.3
        netmask 255.255.255.240
        gateway 10.0.1.1

/etc/resolv.conf

Code: Select all

nameserver 10.0.1.1

Other clients on local network

Code: Select all

address 10.0.1.x  
netmask 255.255.255.240
gateway 10.0.1.1
nameserver     10.0.1.1

after some google searching i was able to share the internet using this

Code: Select all

WAN=eth0  
VPN=tun0  
LAN=eth1  
echo 1 > /proc/sys/net/ipv4/ip_forward  
iptables --append FORWARD --in-interface $LAN -j ACCEPT  
iptables --table nat --append POSTROUTING --out-interface $WAN -j MASQUERADE  
iptables --table nat --append POSTROUTING --out-interface $VPN -j MASQUERADE

however, i cannot port forward to my mail or dns.

I really have no idea what should i be doing or if there is something wrong i should change, therefore if anyone could help me or point me to the right direction that would be grate.

Any help would be much appreciated.

Post by **maikcat** » Tue May 10, 2011 12:56 pm

hi there,

first post openvpn configs as well...

also post result from ifconfig as well

i noticed this

>10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tun0

your tun belongs to 10.0.0.0/8 net?
if yes tun0 gets 10.0.0.1 ip?
your eth0 and eth1 have 10.0.1.1/24 and your eth0 has 10.0.0.2/24..

i think they got mixed a little..

Michael.

flan · Post by **flan** » Tue May 10, 2011 1:33 pm

Michael,

maikcat wrote: first post openvpn configs as well...

Code: Select all

client
fast-io
dev tun
proto udp

nobind
remote 174.37.222.38 1194
route-method exe
route-delay 2
resolv-retry infinite

persist-key
persist-tun
 
auth-user-pass password
ca vpnuk-ca.crt
tls-auth ta.key 1
 
comp-lzo
verb 3

maikcat wrote: also post result from ifconfig as well

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:30:4f:1c:49:f8  
          inet addr:10.0.0.2  Bcast:10.0.0.63  Mask:255.255.255.192
          inet6 addr: fe80::230:4fff:fe1c:49f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2022087 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2119018 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1515925916 (1.5 GB)  TX bytes:439121061 (439.1 MB)
          Interrupt:11 Base address:0xc000 

eth1      Link encap:Ethernet  HWaddr 00:08:54:41:42:88  
          inet addr:10.0.1.1  Bcast:10.0.1.15  Mask:255.255.255.240
          inet6 addr: fe80::208:54ff:fe41:4288/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2130575 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2016029 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:310331520 (310.3 MB)  TX bytes:1383951724 (1.3 GB)
          Interrupt:10 Base address:0xc400 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1988 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1988 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:279384 (279.3 KB)  TX bytes:279384 (279.3 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.204.139.96  P-t-P:10.204.139.96  Mask:255.0.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1555647 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1562594 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:1185849397 (1.1 GB)  TX bytes:193037768 (193.0 MB)

Code: Select all

eth0 10.0.0.1/24 # Internet
eth1 10.0.1.1/28 # Local

thx

Post by **maikcat** » Tue May 10, 2011 1:51 pm

hi there,

server configs..?

Michael

flan · Post by **flan** » Tue May 10, 2011 1:54 pm

maikcat wrote:hi there,

server configs..?

Michael

it a client config file i am connecting to a vpn server i have no idea what they have for there server configs.

thx

OpenVPN Support Forum

howto share vpn connection (Linux + OpenVPN)?

howto share vpn connection (Linux + OpenVPN)?

Re: howto share vpn connection (Linux + OpenVPN)?

Re: howto share vpn connection (Linux + OpenVPN)?

Re: howto share vpn connection (Linux + OpenVPN)?

Re: howto share vpn connection (Linux + OpenVPN)?