OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

[Solved]Layer3 configuration without NAT?

https://forums.openvpn.net/viewtopic.php?t=19243

Page 1 of 1

[Solved]Layer3 configuration without NAT?

Posted: Mon Jul 13, 2015 10:39 pm
by kgc
I'm trying to configure an OpenVPN AS server to use a pool of public IPs for clients without performing any NAT or other traffic mangling or enforced limitations and to just leave it to the kernel to route the traffic as expected. It is easy enough to remove the iptables rule once the service is started (which makes it behave as desired) but I haven't figured out a way to make this persistent within the constraints of the openvpn as server configs.

I attempted to do this by disabling the update of the iptables rules as per one of the FAQs but every combination I've come up with prevents the server from starting even if the persistent iptables rules match what the server would have installed.

Code: Select all

 # ./confdba --mod --key=iptables.vpn.disable.nat --value=True --prof=Default
 #  ./confdba --mod --key=iptables.vpn.disable.mangle --value=True --prof=Default
 # ./confdba --mod --key=iptables.vpn.disable.filter --value=True --prof=Default

Code: Select all

{'errors': {'openvpn_0': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live'])")], 'user': [('error', "service failed to start due to unresolved dependencies: set(['iptables_live'])")], 'openvpn_2': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live'])")], 'openvpn_3': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live'])")], 'iptables_live': [('error', "Service deferred error: 'NoneType' object is not iterable: internet/defer:323,sagent/wpsvc:167,sagent/iptlive:49,sagent/iptlive:76,sagent/iptlive:111 (exceptions.TypeError)")], 'crl': [('error', "service failed to start due to unresolved dependencies: set(['user'])")], 'openvpn_1': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live'])")]}, 'service_status': {'bridge': 'started', 'log': 'started', 'license': 'started', 'iptables_web': 'started', 'iptables_openvpn': 'started', 'ip6tables_openvpn': 'started', 'openvpn_1': 'off', 'auth': 'started', 'ip6tables_live': 'started', 'client_query': 'started', 'db_push': 'started', 'api': 'started', 'daemon_pre': 'started', 'web': 'started', 'openvpn_2': 'off', 'openvpn_3': 'off', 'iptables_live': 'on', 'openvpn_0': 'off', 'crl': 'off', 'user': 'off'}}

Re: Layer3 configuration without NAT?

Posted: Sat Jul 18, 2015 12:24 am
by kgc
Turns out this was as easy as using the routing option of "Yes, using routing (advanced)" and adding 0.0.0.0/0 as a private subnet "to which the client should be given access". Thanks to support for pointing this out in a ticket.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/