Problem with iptables behind router
Posted: Sun Feb 16, 2014 2:37 pm
Hello everyone!
I'm in the process of setting up an OpenVPN network for my home use.
The OpenVPN server (running on Debian) is behind a router, on which I've configured a static route (10.8.7.0/24 -> 192.168.100.5) and opened the external port via port forwarding. I've also enabled IP forwarding on the OpenVPN server.
The server (192.168.100.5) I have configured with tun & topology subnet, by default the clients get an address in the 10.8.7.0/24 network.
Now I want my VPN clients to access the 192.168.100.0/24 network, so I'm pushing the route 192.168.100.0 255.255.255.0
From the Bridging & Routing website (https://community.openvpn.net/openvpn/w ... AndRouting) I've taken these iptables rules:
Now when using these settings:
I can ping and access the VPN client (for example 10.8.7.178) from the local network (for example 192.168.100.7) without any problems.
However, I cannot access or ping any clients in the local network (for example 192.168.100.7) from the VPN client.
So I was guessing something is wrong with my iptables settings and the server doesn't forward the packets coming FROM the VPN clients TO the local network correctly.
After searching for a while I came across these iptables settings and tried them:
Now, to my surprise, everything works well. I'm having trouble understanding why exactly the first set of rules, which are listed on openVPN's website for exactly my configuration ("Using routing and OpenVPN not running on the default gateway") do not work in my case.
Is there anything I can change with my iptables settings? Is it a good idea to use MASQUERADE with my setup? (server behind router)
Thanks in advance!
I'm in the process of setting up an OpenVPN network for my home use.
The OpenVPN server (running on Debian) is behind a router, on which I've configured a static route (10.8.7.0/24 -> 192.168.100.5) and opened the external port via port forwarding. I've also enabled IP forwarding on the OpenVPN server.
The server (192.168.100.5) I have configured with tun & topology subnet, by default the clients get an address in the 10.8.7.0/24 network.
Code: Select all
dev tun
topology subnet
server 10.8.7.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"
[...]From the Bridging & Routing website (https://community.openvpn.net/openvpn/w ... AndRouting) I've taken these iptables rules:
Code: Select all
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.7.0/24 -d 192.168.100.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTI can ping and access the VPN client (for example 10.8.7.178) from the local network (for example 192.168.100.7) without any problems.
However, I cannot access or ping any clients in the local network (for example 192.168.100.7) from the VPN client.
So I was guessing something is wrong with my iptables settings and the server doesn't forward the packets coming FROM the VPN clients TO the local network correctly.
After searching for a while I came across these iptables settings and tried them:
Code: Select all
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPTIs there anything I can change with my iptables settings? Is it a good idea to use MASQUERADE with my setup? (server behind router)
Thanks in advance!