vpn and dns/dhcp/firewall not on the same server
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Aug 27, 2014 7:49 am
vpn and dns/dhcp/firewall not on the same server
Hi,
My config :
. VPN server = MAYO - OS debian
openvpn installed
ip-wan = 48.xxx.xxx.253 (eth1)
ip-lan = 192.168.1.19 (eth0)
gw = 48.xxx.xxx.249
vpn network = 192.168.3.0/24
ip-vpn server = 192.168.3.1 (tun0)
. DNS/DHCP/Firewall server = GOZO - OS debian
ip-wan = 48.xxx.xxx.251 (eth1)
ip-lan = 192.168.1.2 (eth0)
gw = 48.xxx.xxx.249
internal network = netwhome
. server.conf =
port 1194
proto udp
dev tun0
ca ca.crt
cert mayo.crt
key mayo.key
dh dh1024.pem
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.3.0 255.255.255.0
push "dhcp-option DNS 193.xxx.xxx.xxx"
push "dhcp-option DNS 192.168.1.2"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 4
. ccd/client1 conf =
ifconfig-push 192.168.3.5 192.168.3.6
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
. conf client1 (OS: Windows7) =
client
dev tun
proto udp
remote 48.xxx.xxx.253 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 5
float
route-method exe
route-delay 2
. iptables/rules =
on MAYO = nothing
on GOZO =
ACCEPT all -- 192.168.3.0/24 netwhome/24
port 1194 opened
. GOZO : route -nv =
Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface
0.0.0.0 | 48.xxx.xxx.249 | 0.0.0.0 | UG | 50 | 0 | 0 | eth1
0.0.0.0 | 192.168.1.2 | 0.0.0.0 | UG | 100 | 0 | 0 | eth0
48.xxx.xxx.248 | 0.0.0.0 | 255.255.255.248 U | 0 | 0 | 0 | eth1
169.254.0.0 | 0.0.0.0 | 255.255.0.0 | U | 1000 | 0 | 0 | eth1
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0
. MAYO : route -nv =
Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface
0.0.0.0 | 48.xxx.xxx.249 | 0.0.0.0 | UG | 50 | 0 | 0 eth1
0.0.0.0 | 192.168.1.2 | 0.0.0.0 | UG | 100 | 0 | 0 | eth0
48.xxx.xxx.248 | 0.0.0.0 | 255.255.255.248 | U | 0 | 0 | 0 | eth1
169.254.0.0 | 0.0.0.0 | 255.255.0.0 | U | 1000 | 0 | 0 | eth0
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0
192.168.3.0 | 192.168.3.2 | 255.255.255.0 | UG | 0 | 0 | 0 | tun0
192.168.3.2 | 0.0.0.0 | 255.255.255.255 | UH | 0 | 0 | 0 | tun0
My problem :
. client1 can connect to vpn server but can't connect to internet or to 192.168.1.0 network - only ping and dns resolution ok to VPN server
. if I install openvpn on GOZO server, all is ok.
Which config/route/firewall is missing (between MAYO/GOZO) ?
Any help would be appreciated.
Thank.
My config :
. VPN server = MAYO - OS debian
openvpn installed
ip-wan = 48.xxx.xxx.253 (eth1)
ip-lan = 192.168.1.19 (eth0)
gw = 48.xxx.xxx.249
vpn network = 192.168.3.0/24
ip-vpn server = 192.168.3.1 (tun0)
. DNS/DHCP/Firewall server = GOZO - OS debian
ip-wan = 48.xxx.xxx.251 (eth1)
ip-lan = 192.168.1.2 (eth0)
gw = 48.xxx.xxx.249
internal network = netwhome
. server.conf =
port 1194
proto udp
dev tun0
ca ca.crt
cert mayo.crt
key mayo.key
dh dh1024.pem
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.3.0 255.255.255.0
push "dhcp-option DNS 193.xxx.xxx.xxx"
push "dhcp-option DNS 192.168.1.2"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 4
. ccd/client1 conf =
ifconfig-push 192.168.3.5 192.168.3.6
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
. conf client1 (OS: Windows7) =
client
dev tun
proto udp
remote 48.xxx.xxx.253 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 5
float
route-method exe
route-delay 2
. iptables/rules =
on MAYO = nothing
on GOZO =
ACCEPT all -- 192.168.3.0/24 netwhome/24
port 1194 opened
. GOZO : route -nv =
Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface
0.0.0.0 | 48.xxx.xxx.249 | 0.0.0.0 | UG | 50 | 0 | 0 | eth1
0.0.0.0 | 192.168.1.2 | 0.0.0.0 | UG | 100 | 0 | 0 | eth0
48.xxx.xxx.248 | 0.0.0.0 | 255.255.255.248 U | 0 | 0 | 0 | eth1
169.254.0.0 | 0.0.0.0 | 255.255.0.0 | U | 1000 | 0 | 0 | eth1
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0
. MAYO : route -nv =
Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface
0.0.0.0 | 48.xxx.xxx.249 | 0.0.0.0 | UG | 50 | 0 | 0 eth1
0.0.0.0 | 192.168.1.2 | 0.0.0.0 | UG | 100 | 0 | 0 | eth0
48.xxx.xxx.248 | 0.0.0.0 | 255.255.255.248 | U | 0 | 0 | 0 | eth1
169.254.0.0 | 0.0.0.0 | 255.255.0.0 | U | 1000 | 0 | 0 | eth0
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0
192.168.3.0 | 192.168.3.2 | 255.255.255.0 | UG | 0 | 0 | 0 | tun0
192.168.3.2 | 0.0.0.0 | 255.255.255.255 | UH | 0 | 0 | 0 | tun0
My problem :
. client1 can connect to vpn server but can't connect to internet or to 192.168.1.0 network - only ping and dns resolution ok to VPN server
. if I install openvpn on GOZO server, all is ok.
Which config/route/firewall is missing (between MAYO/GOZO) ?
Any help would be appreciated.
Thank.
- maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: vpn and dns/dhcp/firewall not on the same server
i think you need to add to gozo the following route:
route add -net 192.168.3.0 255.255.255.0 gw 192.168.1.19
Michael.
route add -net 192.168.3.0 255.255.255.0 gw 192.168.1.19
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Aug 27, 2014 7:49 am
Re: vpn and dns/dhcp/firewall not on the same server
Thanks Mickael.
Now, client1 can access to the local network. But, it can't still access to internet.
Dom
Now, client1 can access to the local network. But, it can't still access to internet.
Dom
- maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: vpn and dns/dhcp/firewall not on the same server
is your internet gateway configured to NAT traffic from 3.0 network to internet?
Michael.
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Aug 27, 2014 7:49 am
Re: vpn and dns/dhcp/firewall not on the same server
. on gozo and mayo :
/proc/sys/net/ipv4/ip_forward = 1
. on gozo :
iptables -A FORWARD -i eth1 -s 192.168.3.0/24 -d 48.xxx.xxx.251 -j ACCEPT
or
iptables -A FORWARD -i eth1 -s 192.168.3.0/24 -d 48.xxx.xxx.249 -j ACCEPT
doesn't resolved internet access from 3.0
But maybe i haven't the correct syntax.
Dom
/proc/sys/net/ipv4/ip_forward = 1
. on gozo :
iptables -A FORWARD -i eth1 -s 192.168.3.0/24 -d 48.xxx.xxx.251 -j ACCEPT
or
iptables -A FORWARD -i eth1 -s 192.168.3.0/24 -d 48.xxx.xxx.249 -j ACCEPT
doesn't resolved internet access from 3.0
But maybe i haven't the correct syntax.
Dom
- maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: vpn and dns/dhcp/firewall not on the same server
these are FIREWALL rules not NAT rules...
use
iptables -L -t nat -v
and post the results here
Michael.
use
iptables -L -t nat -v
and post the results here
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Aug 27, 2014 7:49 am
Re: vpn and dns/dhcp/firewall not on the same server
@gozo] # iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 725K packets, 65M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 483K packets, 35M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 108K packets, 8378K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 15214 packets, 1055K bytes)
pkts bytes target prot opt in out source destination
22M 1438M MASQUERADE all -- any eth1 anywhere anywhere
Thks
Dom
Chain PREROUTING (policy ACCEPT 725K packets, 65M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 483K packets, 35M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 108K packets, 8378K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 15214 packets, 1055K bytes)
pkts bytes target prot opt in out source destination
22M 1438M MASQUERADE all -- any eth1 anywhere anywhere
Thks
Dom
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Aug 27, 2014 7:49 am
Re: vpn and dns/dhcp/firewall not on the same server
up :
on mayo :
# iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 60491 packets, 11M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 14202 packets, 1175K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3726 packets, 483K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5013 packets, 556K bytes)
pkts bytes target prot opt in out source destination
I installed :
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE
and now :
iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 4 packets, 572 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth1 192.168.3.0/24 anywhere
and internet access is ok on the client1
thks for your help, Mickael.
Dom
on mayo :
# iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 60491 packets, 11M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 14202 packets, 1175K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3726 packets, 483K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5013 packets, 556K bytes)
pkts bytes target prot opt in out source destination
I installed :
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE
and now :
iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 4 packets, 572 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth1 192.168.3.0/24 anywhere
and internet access is ok on the client1
thks for your help, Mickael.
Dom