No ping after port redirection with iptables

[MathiasH]

I'm developing a openvpn server/client configuration which will try multiple ports to try to connect to the server.

I'm able to connect to tcp and ping to my server and client with this configuration:

Client:

Code: Select all

client
dev tun

server-poll-timeout 1

#tcp ports

<connection>
remote 172.16.189.143 443 tcp
connect-retry 1
connect-timeout 1
</connection>

auth-user-pass
cert keys/client.crt
key keys/client.key
ca keys/ca.crt
tls-auth keys/ta.key 1

user nobody
group nogroup

persist-key
persist-tun

pull

comp-lzo

verb 3
mute 20

log log/openvpn.log
status log/openvpn-status.log

server tcp20:

Code: Select all

topology subnet

proto tcp 
port 20
auth-user-pass-verify users/users.sh via-env
script-security 3 system


ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
tls-auth keys/ta.key 0

dev tun0

server 172.17.0.0 255.255.255.0
keepalive 10 120

client-config-dir ccd

comp-lzo

persist-key
persist-tun

user nobody
group nobody

log-append log/tcp20.log
status log/openvpn-status.log
verb 3

All traffic is either redirected to port 20 TCP or 53 UDP

Code: Select all

#!/bin/bash
IPTABLES=$(which iptables)
MODPROBE=$(which modprobe)
TCP_IFACE=eth0
UDP_IFACE=eth1


# ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

#flushen bestaande regels
$IPTABLES -F
$IPTABLES -t nat -F

#laden netfilter modules
$MODPROBE iptable_nat



#redirect TCP ports
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.189.143:20
$IPTABLES -t nat -A POSTROUTING -p tcp -j MASQUERADE 

#redirect UDP ports
#$IPTABLES -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 1194,123 -j DNAT --to 172.16.189.143:53
#$IPTABLES -t nat -A POSTROUTING  -p udp -j MASQUERADE
# policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

But this configuration is only listening on TCP. When adding a second config file for my UDP, both UDP and TCP can establish a connection but they can't ping over the VPN. (and uncommenting the udp rules in my firewall).

I've tried building a setup mentioned in this topic10473.html (reply 4). But failed to make any improvements. Does anyone have any idea what I'm doing wrong?

server config file udp53

Code: Select all

proto udp 
port 53
auth-user-pass-verify users/users.sh via-env
script-security 3 system


ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
tls-auth keys/ta.key 0

dev tun11

server 172.17.0.0 255.255.255.0
keepalive 10 120

client-config-dir ccd

comp-lzo

persist-key
persist-tun

user nobody
group nobody

log-append log/udp53.log
status log/openvpn-status.log
verb 3

routing table on the server:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun11
172.17.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.16.189.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 172.16.189.2 0.0.0.0 UG 0 0 0 eth0

routing table on the client:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 eth0
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

[janjust]

in 'tun' mode you should use 2 different subnets for 2 different openvpn instances - otherwise all routing will fail.
if you want 2 openvpn instances to share the same IP space you should use 'dev tap' (bridging is not required). Not all OpenVPN client (iphone, ipad) support this, however.