nat + routing issue on target site

[dagost]

Hello everybody,

I have some arm linux devices with the openvpn client connected through vpn using a wireless 3G (ppp) connexion.

Thoses linux clients are connected to several industrial equipements.

From the other side I just have the openvpn server running on windows and windows computers. [192.168.197.x]

I use static adress ip with unique certificats and it works very well !

Here is my testing configuration :

- equipement - Linux client WAN Openvpn server - computers -
192.168.198.5 ---- 172.30.0.20 ---- ppp ----- 172.30.0.1 ------ 192.168.197.x
192.168.198.1 192.168.197.7

My problem is that now I must connect from computers to equipments. I must use an association table like this on each linux client because equipment may have the same adress ip :
192.168.198.5 - 10.71.30.1
192.168.198.6 - 10.71.30.2
etc

Dont ask me to change this way of doing, I simplify the real situation.

I've set 10.71.30.1 on eth0:0 and enable routing, proxy arp and snat/dnat using iptables.

I would like when I ping from windows computers 10.71.30.1 (ip will be stored in a database) the equipment 192.168.198.5 to reply.

About routes, on computers I've set

Code: Select all

route add 10.71.0.0 MASK 255.255.0.0 192.168.197.7

And on the windows openvpn server I've set

Code: Select all

route add 10.71.0.0 172.30.0.2

On linux I've set nat with iptables (all default policies to ACCEPT)
For the 1st equipment rules are :

Code: Select all

iptables -t nat -A PREROUTING -i tun0 --dst 10.71.30.1 -j DNAT --to-destination 192.168.198.5
iptables -t nat -A PREROUTING -i eth0 --src 192.168.198.5 -j SNAT --to-source 10.71.30.1

I can't tcpdump on linux clients because libpcap does not support the link layer used by the tun0 interface.

By the way from the openvpn server I can use wireshark and I see arp request/reply and the ping leaving but there is no reply. I'm almost sure the ping is stuck in the tun0 interface because iptables forward rules packets do not change (iptables -L -v -n -t nat).

I've also add interal route to openvpn server by adding this line to the conf file :

Code: Select all

route 10.71.30.1 255.255.255.255 172.30.0.20

Thanks for your answers,

Here are some additional information :

Code: Select all

ts7500:~/work# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:d0:69:44:1b:3a
          inet addr:192.168.198.1  Bcast:192.168.198.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:86790 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11555144 (11.0 MiB)  TX bytes:3788 (3.6 KiB)
          Base address:0x2000

eth0:0    Link encap:Ethernet  HWaddr 00:d0:69:44:1b:3a
          inet addr:10.71.30.1  Bcast:10.71.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:66540 errors:0 dropped:0 overruns:0 frame:0
          TX packets:66540 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:47821435 (45.6 MiB)  TX bytes:47821435 (45.6 MiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:10.221.30.217  P-t-P:10.64.64.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:853 errors:280 dropped:0 overruns:0 frame:0
          TX packets:2701 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:493278 (481.7 KiB)  TX bytes:139194 (135.9 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.30.0.20  P-t-P:172.30.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:420 (420.0 B)

ts7500:~/work# uname -a
Linux ts7500 2.6.24.4 #1 Thu Aug 5 09:30:24 MST 2010 armv4l GNU/Linux
ts7500:~/work# ip r l
10.64.64.64 dev ppp0  proto kernel  scope link  src 10.221.30.217
172.30.0.5 dev tun0  proto kernel  scope link  src 172.30.0.20
192.168.197.0/24 via 172.30.0.5 dev tun0
192.168.198.0/24 dev eth0  scope link
192.168.198.0/24 dev eth0  proto kernel  scope link  src 192.168.198.1
10.71.0.0/16 dev eth0  proto kernel  scope link  src 10.71.30.1
172.30.0.0/16 via 172.30.0.5 dev tun0
127.0.0.0/8 dev lo  scope link
default dev ppp0  scope link

Windows openvpn server routing table :

Code: Select all

route print

IPv4 Table de routage
===========================================================================
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff f6 18 17 ec ...... TAP-Win32 Adapter V9
0x20004 ...00 0c 76 17 aa 57 ...... Ethernet Gigabit Broadcom NetXtreme
===========================================================================
===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
        10.71.0.0  255.255.255.255       172.30.0.2       172.30.0.1      1
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
       172.30.0.0  255.255.255.252       172.30.0.1       172.30.0.1     30
       172.30.0.0      255.255.0.0       172.30.0.2       172.30.0.1      1
       172.30.0.1  255.255.255.255        127.0.0.1        127.0.0.1     30
      172.30.30.0    255.255.255.0       172.30.0.1       172.30.0.1      1
   172.30.255.255  255.255.255.255       172.30.0.1       172.30.0.1     30
    192.168.197.0    255.255.255.0    192.168.197.7    192.168.197.7     10
    192.168.197.7  255.255.255.255        127.0.0.1        127.0.0.1     10
  192.168.197.255  255.255.255.255    192.168.197.7    192.168.197.7     10
        224.0.0.0        240.0.0.0       172.30.0.1       172.30.0.1     30
        224.0.0.0        240.0.0.0    192.168.197.7    192.168.197.7     10
  255.255.255.255  255.255.255.255       172.30.0.1       172.30.0.1      1
  255.255.255.255  255.255.255.255    192.168.197.7    192.168.197.7      1
===========================================================================
Itinéraires persistants :
  Aucun

[Mimiko]

iptables -t nat -A PREROUTING -i tun0 --dst 10.71.30.1 -j DNAT --to-destination 192.168.198.5
iptables -t nat -A PREROUTING -i eth0 --src 192.168.198.5 -j SNAT --to-source 10.71.30.1

You don't need this on equipments, because you will use parralel IP pool on LAN.

192.168.198.5 - 10.71.30.1

eth0 Link encap:Ethernet HWaddr 00:d0:69:44:1b:3a
inet addr:192.168.198.1 Bcast:192.168.198.255 Mask:255.255.255.0

eth0:0 Link encap:Ethernet HWaddr 00:d0:69:44:1b:3a
inet addr:10.71.30.1 Bcast:10.71.255.255 Mask:255.255.0.0

You made an error on configuring IPs. Who have 10.71.30.1?

route add 10.71.0.0 MASK 255.255.0.0 192.168.197.7

This you added on computers on OpenVPN server's LAN?

route add 10.71.0.0 172.30.0.2

Don't add this on OpenVPN server because you will add the route from OpenVPN configuration.

route 10.71.30.1 255.255.255.255 172.30.0.20

The correct is to add the command in OpenVPN server's config as: "route 10.71.30.1 255.255.255.0"

You have to add to OpenVPN server's config also: push "route 192.168.197.0 255.255.255.0"
Make a ccd file for the client with its certificate's common name and add:

Code: Select all

iroute 192.168.198.0 255.255.255.0
iroute 10.71.0.0 255.255.0.0

Post OpenVPN server's and client's config files.

[dagost]

Thanks for reply, I have several LAN which may have the same ip pool this is why we choose to associate lan ip to fake ip like 10.71.x.y. Thoses ip dont realy exist.

The correct is to add the command in OpenVPN server's config as: "route 10.71.30.1 255.255.255.0"

If I do that i will add a network /24 route but I would like to add a route to the single host 10.71.30.1, isn't it right ?

By the way didn't know the iroute openvpn client directive, I've read http://backreference.org/2009/11/15/openvpn-and-iroute/ and iroute might be the right solution !

server.conf

Code: Select all

port 1194
proto udp
dev tun

ca ca-certificate.pem
cert vpn-server-certificate.pem
key privkey.pem
dh dh.pem
client-config-dir conf-clients
server 172.30.0.0 255.255.0.0
push "route 192.168.197.0 255.255.255.0"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

comp-lzo

;max-clients 100

;user nobody
;group nobody

persist-key
persist-tun

status openvpn-status.log
verb 2
mute 3
route 10.71.30.1 255.255.255.255 172.30.0.20

client.conf

Code: Select all

client
dev tun
proto udp
remote *****1194
ca ca-certificate.pem
cert vpn-client-certificate.pem
key privkey.pem
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user openvpn
group openvpn
daemon
resolv-retry infinite
nobind
verb 1
mute 3

[Mimiko]

My mistake. It's: route 10.71.30.0 255.255.255.0
If you don't want to push 192.168.195.0/24 then just skip the lines where it appears.

If you want to route not the whole 10.71.30/24 but some hosts, then you will have to add to OpenVPN server's config only:

Code: Select all

route 10.71.30.x 255.255.255.255

for each wanted IP. And also add:

Code: Select all

iroute 10.71.30.x 255.255.255.255

for each wanted IP to ccd file.

"route" in config file adds routes to systems table. "iroute" adds routes to OpenVPN's internal routing table. It is different routing tables.

[dagost]

Ok thanks a lot, i knew there was two routing systems but I didnt know how to set the openvpn internal routes. I've had route 10.71.0.0 255.255.0.0 to openvpn server configuration file and i've deleted the windows route (route add 10.71.0.0 172.30.0.2).

After restarting openvpn, icmp request go to the vpn interface (only after restarting the windows routing service). So the icmp request are corectly sent but there is no reply from my devices, now i'm going to add iroutes and see what happens. icmp request arrive to the final equipment, now I need to fix the nat rules and it will be ok.

At restart, is there a way to automaticaly restart the routing service after reading openvpn server conf ? I just need to execute theses commandes :

Code: Select all

net stop RemoteAccess
net start RemoteAccess

[janjust]

At restart, is there a way to automaticaly restart the routing service after reading openvpn server conf ? I just need to execute theses commandes :
Code:
net stop RemoteAccess
net start RemoteAccess

yes this is possible, write a batch file that does the two 'net' commands and add the following lines to your openvpn server config:

Code: Select all

script-security 2 system
up <full-path-to-batch-file-preferable-without-spaces-in-it>

[dagost]

And it works, thanks you a lot you solved all my problems.
Have a good day