Open VPN behind firewall

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
erick
OpenVpn Newbie
Posts: 1
Joined: Fri May 24, 2013 1:29 pm

Open VPN behind firewall

Post by erick » Fri May 24, 2013 1:56 pm

I have configured openvpn in situations where the openvpn server is an internet server e.g.(comercial vps) without many problems, however this current setup is just a pain... I can ping any machine in the 10.254.0.0/16 subnet from the tun subnet and any machine in the 10.254.0.0/16 can ping any machine in the 10.8.0.0/24 subnet if and only if it has a proper route for it configured the problem is that I don't have DNS or WINS or any form of internet acess in the VPN clients (even though I can ping the gateway/firewall and the DNS/WINS servers) I don't really know why, it may be a problem with routing, or it may be a firewall issue... either way I'm just at a dead end. the way it is set up follows:

iptables

Code: Select all

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.1.3.18 
COMMIT
*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

##BASIC RULESET
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j REJECT
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 120 --hitcount 2 --name ssh --rsource -j ACCEPT
##OVPN RULESET
-A INPUT -s 10.8.0.0/24 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT

##DECLINE
-A FORWARD -j REJECT
-A INPUT -j REJECT

COMMIT
server.conf

Code: Select all

port 1194
local 10.1.3.18
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "route 10.254.0.0 255.255.0.0"
push "dhcp-option DNS 10.254.1.102"
push "dhcp-option DNS 10.254.1.110"
push "dhcp-option WINS 10.254.1.102"
push "dhcp-option WINS 10.254.1.110"
push "explicit-exit-notify 3"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3
mute 20
client.ovpn

Code: Select all

client
dev tun
tun-mtu 1500
proto udp
remote ***.***.***.*** 1194
resolv-retry 50
nobind
persist-key
persist-tun
redirect-gateway
ca "C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\config_LAN\ca.crt"
cert "C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\config_LAN\client.crt"
key "C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\config_LAN\client.key"
ns-cert-type server
comp-lzo
verb 3
Top
Post Reply

Return to “The OpenVPN Access Server”