Server/client same machine real nat-routing

ostfriese2 · Post by **ostfriese2** » Sat Sep 16, 2017 3:51 pm

Hello,

i've got openvpn running at a Linux IPfire Firewall. The target is, to connect a roadwarrior to the server, reach all machines inside the LAN and route the internet-traffic of the LAN-Clients and the roadwarrior to a openvpn-client, connected to a public VPN-Provider and running on the same mashine.
Can't get the proper NAT-routing to work.

The firewall has got two NIC's
WAN 192.168.178.2/24 (red0)
LAN 172.16.0.4/24 (green0)

If only the server is up, roadwarrior can connect, can see all mashines in LAN, public ip of roadwarrior is the public ip of the maschine.

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         gateway         0.0.0.0         UG        0 0          0 red0
10.96.211.0     10.96.211.2     255.255.255.0   UG        0 0          0 tun0
10.96.211.2     *               255.255.255.255 UH        0 0          0 tun0
172.16.0.0      *               255.255.255.0   U         0 0          0 green0
192.168.33.0    10.96.211.2     255.255.255.0   UG        0 0          0 tun0
192.168.178.0   *               255.255.255.0   U         0 0          0 red0
gateway         *               255.255.255.255 UH        0 0          0 red0

If only the client is up, and i do

Code: Select all

iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -o tun0 -j MASQUERADE

all mashines inside the LAN using the client-tunnel, puplic ip of all lann mashines is VPN-Provider ip.

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.199.1      128.0.0.0       UG        0 0          0 tun0
default         gateway         0.0.0.0         UG        0 0          0 red0
10.0.199.0      *               255.255.255.0   U         0 0          0 tun0
128.0.0.0       10.0.199.1      128.0.0.0       UG        0 0          0 tun0
172.16.0.0      *               255.255.255.0   U         0 0          0 green0
178.162.194.30  gateway         255.255.255.255 UGH       0 0          0 red0
192.168.178.0   *               255.255.255.0   U         0 0          0 red0
gateway         *               255.255.255.255 UH        0 0          0 red0

If server and client is up:

all mashines inside the LAN using the client-tunnel, puplic ip of all LAN mashines is VPN-Provider ip.
Roadwarrior can't connect.
(Server is now tun0, client is tun1)
and

Code: Select all

iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -o tun1 -j MASQUERADE

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.197.1      128.0.0.0       UG        0 0          0 tun1
default         gateway         0.0.0.0         UG        0 0          0 red0
10.0.197.0      *               255.255.255.0   U         0 0          0 tun1
10.96.211.0     10.96.211.2     255.255.255.0   UG        0 0          0 tun0
10.96.211.2     *               255.255.255.255 UH        0 0          0 tun0
128.0.0.0       10.0.197.1      128.0.0.0       UG        0 0          0 tun1
172.16.0.0      *               255.255.255.0   U         0 0          0 green0
178.162.194.30  gateway         255.255.255.255 UGH       0 0          0 red0
192.168.33.0    10.96.211.2     255.255.255.0   UG        0 0          0 tun0
192.168.178.0   *               255.255.255.0   U         0 0          0 red0
gateway         *               255.255.255.255 UH        0 0          0 red0

The only thing that's logical to me, that Roadwarrior can't get an answer, because all the trafic goes throug tun1 .
I'm googeling and working on this since a week. Can't get the proper NAT-routing to work.
I'm a progammer not a networker

Any help is verry welcome.

Here some further information:

Server

1

daemon openvpnserver

2

writepid /var/run/openvpn.pid

3

dev tun

4

proto udp

5

port 1194

6

script-security 3 system

7

ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600

8

client-config-dir /var/ipfire/ovpn/ccd

9

tls-server

10

ca /var/ipfire/ovpn/ca/cacert.pem

11

cert /var/ipfire/ovpn/certs/servercert.pem

12

key /var/ipfire/ovpn/certs/serverkey.pem

13

dh /var/ipfire/ovpn/ca/dh1024.pem

14

server 10.96.211.0 255.255.255.0

15

tun-mtu 1500

16

route 192.168.33.0 255.255.255.0

17

client-to-client

18

mtu-disc yes

19

keepalive 10 60

20

status-version 1

21

status /var/run/ovpnserver.log 30

22

cipher AES-256-CBC

23

auth SHA512

24

tls-auth /var/ipfire/ovpn/certs/ta.key

25

comp-lzo

26

max-clients 100

27

tls-verify /usr/lib/openvpn/verify

28

crl-verify /var/ipfire/ovpn/crls/cacrl.pem

29

user nobody

30

group nobody

31

persist-key

32

persist-tun

33

verb 3

client

1

proto udp

2

tun-mtu 1500

3

fragment 1300

4

mssfix

5

cipher AES-256-CBC

6

ignore-unknown-option ncp-disable

7

ncp-disable

8

remote xxxprivacy.com 149

9

remote xxxprivacy.com 1151

10

remote xxxperfect-privacy.com 1150

11

remote xxxperfect-privacy.com 1149

12

remote xxxperfect-privacy.com 1148

13

remote xxxperfect-privacy.com 148

14

remote xxxperfect-privacy.com 151

15

remote xxxperfect-privacy.com 150

16

auth SHA512

17

auth-user-pass /etc/openvpn/password.txt

18

client

19

comp-lzo

20

dev tun

21

hand-window 120

22

inactive 604800

23

mute-replay-warnings

24

nobind

25

ns-cert-type server

26

persist-key

27

persist-remote-ip

28

persist-tun

29

ping 5

30

ping-restart 120

31

redirect-gateway def1

32

remote-random

33

reneg-sec 3600

34

resolv-retry 60

35

route-delay 2

36

route-method exe

37

script-security 2

38

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

39

tls-timeout 5

40

verb 4

41

tun-ipv6

42

down /etc/openvpn/update-resolv-conf

43

up /etc/openvpn/update-resolv-conf

44

key-direction 1

45

<ca>