I would like to be able to connect to the web interface and telnet service on the lan gateway from the client host. The lan gateway and the openvpn server are different hosts, which makes the setup slightly more complicated than if lan gateway and openvpn server would be on the same host. What I achieved so far is that the client can connect to the vpn server and reach hosts on the lan behind the vpn server. The client can ping the lan gateway, but is not able to connect to any services (see section V for detailed tcpdump output of telnet session). Can anybody help?
I suspect that I have to insert iptables rules on the LAN gateway to allow for forwarding of packets between the VPN network and the LAN network. But I don't know why this would be explicitly necessary as I can't find a drop all rule in the forward table. Maybe I am on the wrong track here?
I. Network setup
Code: Select all
VPN Client: interface tun0 ip 10.12.0.6 network 10.12.0.0/24
interface wlan0 ip 192.168.1.75 network 192.168.1.0/24
VPN Server: interface tun0 ip 10.12.0.1 network 10.12.0.0/24
interface br-lan ip 192.168.2.254 network 192.168.2.0/24
LAN Gateway: interface br0 ip 192.168.2.1 network 192.168.2.0/24
interface ppp ip ADSL link network to internet
LAN Client: interface eth0 ip 192.168.2.128 network 192.168.2.0/24
VPN Client:
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
10.12.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.12.0.1 10.12.0.5 255.255.255.255 UGH 0 0 0 tun0
192.168.2.0 10.12.0.5 255.255.255.0 UG 0 0 0 tun0 # push route directive in server.conf
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 wlan0Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
10.12.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
10.12.0.0 10.12.0.2 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 br-lan
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
X.X.X.X 0.0.0.0 255.255.255.255 UH 0 0 0 ppp_0_1_32_1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.12.0.0 192.168.2.254 255.255.255.0 UG 1 0 0 br0 # static route to VPN Server
0.0.0.0 X.X.X.X 0.0.0.0 UG 0 0 0 ppp_0_1_32_1III. Firewall iptables rules on LAN gateway
a) iptables -v -L
Code: Select all
Chain INPUT (policy ACCEPT 8295 packets, 356K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- ppp_0_1_32_1 any 192.168.2.0/24 anywhere udp dpt:30006
0 0 ACCEPT tcp -- ppp_0_1_32_1 any anywhere anywhere tcp dpt:30005
1 48 ACCEPT 2 -- any any anywhere anywhere
60 5063 ACCEPT all -- ppp_0_1_32_1 any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- ppp_0_1_32_1 any anywhere anywhere udp dpt:500
0 0 ACCEPT esp -- ppp_0_1_32_1 any anywhere anywhere
0 0 ACCEPT !esp -- ppp_0_1_32_1 any anywhere anywhere MARK match 0x10000000/0x10000000
23 1328 LOG tcp -- ppp_0_1_32_1 any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level alert prefix `Intrusion -> '
101 5632 DROP all -- ppp_0_1_32_1 any anywhere anywhere
Chain FORWARD (policy ACCEPT 970 packets, 89470 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- ppp_0_1_32_1 any anywhere 224.0.0.22
0 0 DROP all -- ppp_0_1_32_1 any anywhere 224.0.0.2
0 0 ACCEPT udp -- ppp_0_1_32_1 any 192.168.2.0/24 anywhere udp dpt:30006
0 0 ACCEPT tcp -- ppp_0_1_32_1 any anywhere anywhere tcp dpt:30005
958 86709 ACCEPT udp -- ppp_0_1_32_1 any anywhere 192.168.2.254 udp dpt:1194
0 0 ACCEPT all -- any any anywhere 224.0.0.0/3
0 0 TCPMSS tcp -- any ppp_0_1_32_1 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- ppp_0_1_32_1 any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
0 0 ACCEPT all -- ppp_0_1_32_1 any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT !esp -- ppp_0_1_32_1 any anywhere anywhere MARK match 0x10000000/0x10000000
0 0 LOG tcp -- ppp_0_1_32_1 any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level alert prefix `Intrusion -> '
0 0 DROP all -- ppp_0_1_32_1 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 7639 packets, 652K bytes)
pkts bytes target prot opt in out source destinationCode: Select all
Chain PREROUTING (policy ACCEPT 137 packets, 7949 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere 224.0.0.0/3
1 70 DNAT udp -- ppp_0_1_32_1 any anywhere anywhere udp dpt:1194 to:192.168.2.254
Chain POSTROUTING (policy ACCEPT 65 packets, 4550 bytes)
pkts bytes target prot opt in out source destination
1 81 MASQUERADE all -- any ppp_0_1_32_1 192.168.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
server.conf:
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/openvpn.crt
key /etc/openvpn/openvpn.key
dh /etc/openvpn/dh1024.pem
server 10.12.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
comp-lzo
persist-key
persist-tun
status /tmp/openvpn-status.log
log /tmp/openvpn.log
verb 3Code: Select all
client
dev tun
remote XXX.XXX.XXX
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key
tls-auth /etc/openvpn/ta.key 1
remote-cert-tls server
port 1194
user nobody
group nogroup
comp-lzo
persist-key
persist-tun
verb 3V. tcpdump of telnet session on VPN client host to LAN gateway
a) telnet 192.168.2.1
Code: Select all
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
Connection closed by foreign host.
Code: Select all
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
20:15:12.674284 IP (tos 0x10, ttl 64, id 38785, offset 0, flags [DF], proto TCP (6), length 60)
10.12.0.6.54350 > 192.168.2.1.telnet: Flags [S], cksum 0xe30f (correct), seq 71867632, win 5840, options [mss 1460,sackOK,TS val 5639025 ecr 0,nop,wscale 7], length 0
20:15:12.767386 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.2.1.telnet > 10.12.0.6.54350: Flags [S.], cksum 0x7e9b (correct), seq 3362101515, ack 71867633, win 5792, options [mss 1368,sackOK,TS val 787314 ecr 5639025,nop,wscale 7], length 0
20:15:12.767417 IP (tos 0x10, ttl 64, id 38786, offset 0, flags [DF], proto TCP (6), length 52)
10.12.0.6.54350 > 192.168.2.1.telnet: Flags [.], cksum 0xc366 (correct), ack 1, win 46, options [nop,nop,TS val 5639048 ecr 787314], length 0
20:15:12.767530 IP (tos 0x10, ttl 64, id 38787, offset 0, flags [DF], proto TCP (6), length 79)
10.12.0.6.54350 > 192.168.2.1.telnet: Flags [P.], cksum 0x43f6 (correct), seq 1:28, ack 1, win 46, options [nop,nop,TS val 5639048 ecr 787314], length 27 [telnet DO SUPPRESS GO AHEAD, WILL TERMINAL TYPE, WILL NAWS, WILL TSPEED, WILL LFLOW, WILL LINEMODE, WILL NEW-ENVIRON, DO STATUS, WILL XDISPLOC]
20:15:12.861294 IP (tos 0x0, ttl 63, id 39561, offset 0, flags [DF], proto TCP (6), length 52)
192.168.2.1.telnet > 10.12.0.6.54350: Flags [.], cksum 0xc338 (correct), ack 28, win 46, options [nop,nop,TS val 787333 ecr 5639048], length 0
20:15:12.862104 IP (tos 0x0, ttl 63, id 39562, offset 0, flags [DF], proto TCP (6), length 52)
192.168.2.1.telnet > 10.12.0.6.54350: Flags [R.], cksum 0xc334 (correct), seq 1, ack 28, win 46, options [nop,nop,TS val 787333 ecr 5639048], length 0