Server/client same machine real nat-routing
Posted: Sat Sep 16, 2017 3:51 pm
Hello,
i've got openvpn running at a Linux IPfire Firewall. The target is, to connect a roadwarrior to the server, reach all machines inside the LAN and route the internet-traffic of the LAN-Clients and the roadwarrior to a openvpn-client, connected to a public VPN-Provider and running on the same mashine.
Can't get the proper NAT-routing to work.
The firewall has got two NIC's
WAN 192.168.178.2/24 (red0)
LAN 172.16.0.4/24 (green0)
If only the server is up, roadwarrior can connect, can see all mashines in LAN, public ip of roadwarrior is the public ip of the maschine.
If only the client is up, and i do
all mashines inside the LAN using the client-tunnel, puplic ip of all lann mashines is VPN-Provider ip.
If server and client is up:
all mashines inside the LAN using the client-tunnel, puplic ip of all LAN mashines is VPN-Provider ip.
Roadwarrior can't connect.
(Server is now tun0, client is tun1)
and
The only thing that's logical to me, that Roadwarrior can't get an answer, because all the trafic goes throug tun1 .
I'm googeling and working on this since a week. Can't get the proper NAT-routing to work.
I'm a progammer not a networker
Any help is verry welcome.
Here some further information:
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local 192.168.178.2
dev tun
proto udp
port 1194
script-security 3 system
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.96.211.0 255.255.255.0
tun-mtu 1500
route 192.168.33.0 255.255.255.0
client-to-client
mtu-disc yes
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
cipher AES-256-CBC
auth SHA512
tls-auth /var/ipfire/ovpn/certs/ta.key
comp-lzo
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
i've got openvpn running at a Linux IPfire Firewall. The target is, to connect a roadwarrior to the server, reach all machines inside the LAN and route the internet-traffic of the LAN-Clients and the roadwarrior to a openvpn-client, connected to a public VPN-Provider and running on the same mashine.
Can't get the proper NAT-routing to work.
The firewall has got two NIC's
WAN 192.168.178.2/24 (red0)
LAN 172.16.0.4/24 (green0)
If only the server is up, roadwarrior can connect, can see all mashines in LAN, public ip of roadwarrior is the public ip of the maschine.
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default gateway 0.0.0.0 UG 0 0 0 red0
10.96.211.0 10.96.211.2 255.255.255.0 UG 0 0 0 tun0
10.96.211.2 * 255.255.255.255 UH 0 0 0 tun0
172.16.0.0 * 255.255.255.0 U 0 0 0 green0
192.168.33.0 10.96.211.2 255.255.255.0 UG 0 0 0 tun0
192.168.178.0 * 255.255.255.0 U 0 0 0 red0
gateway * 255.255.255.255 UH 0 0 0 red0
If only the client is up, and i do
Code: Select all
iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -o tun0 -j MASQUERADECode: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
default 10.0.199.1 128.0.0.0 UG 0 0 0 tun0
default gateway 0.0.0.0 UG 0 0 0 red0
10.0.199.0 * 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.0.199.1 128.0.0.0 UG 0 0 0 tun0
172.16.0.0 * 255.255.255.0 U 0 0 0 green0
178.162.194.30 gateway 255.255.255.255 UGH 0 0 0 red0
192.168.178.0 * 255.255.255.0 U 0 0 0 red0
gateway * 255.255.255.255 UH 0 0 0 red0
all mashines inside the LAN using the client-tunnel, puplic ip of all LAN mashines is VPN-Provider ip.
Roadwarrior can't connect.
(Server is now tun0, client is tun1)
and
Code: Select all
iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -o tun1 -j MASQUERADE
Code: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
default 10.0.197.1 128.0.0.0 UG 0 0 0 tun1
default gateway 0.0.0.0 UG 0 0 0 red0
10.0.197.0 * 255.255.255.0 U 0 0 0 tun1
10.96.211.0 10.96.211.2 255.255.255.0 UG 0 0 0 tun0
10.96.211.2 * 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.0.197.1 128.0.0.0 UG 0 0 0 tun1
172.16.0.0 * 255.255.255.0 U 0 0 0 green0
178.162.194.30 gateway 255.255.255.255 UGH 0 0 0 red0
192.168.33.0 10.96.211.2 255.255.255.0 UG 0 0 0 tun0
192.168.178.0 * 255.255.255.0 U 0 0 0 red0
gateway * 255.255.255.255 UH 0 0 0 red0
I'm googeling and working on this since a week. Can't get the proper NAT-routing to work.
I'm a progammer not a networker
Any help is verry welcome.
Here some further information:
Server
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local 192.168.178.2
dev tun
proto udp
port 1194
script-security 3 system
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.96.211.0 255.255.255.0
tun-mtu 1500
route 192.168.33.0 255.255.255.0
client-to-client
mtu-disc yes
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
cipher AES-256-CBC
auth SHA512
tls-auth /var/ipfire/ovpn/certs/ta.key
comp-lzo
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
client
proto udp
tun-mtu 1500
fragment 1300
mssfix
cipher AES-256-CBC
ignore-unknown-option ncp-disable # ovpn 2.3 to 2.4 transition
ncp-disable
remote xxxprivacy.com 149
remote xxxprivacy.com 1151
remote xxxperfect-privacy.com 1150
remote xxxperfect-privacy.com 1149
remote xxxperfect-privacy.com 1148
remote xxxperfect-privacy.com 148
remote xxxperfect-privacy.com 151
remote xxxperfect-privacy.com 150
auth SHA512
auth-user-pass /etc/openvpn/password.txt
client
comp-lzo
dev tun
#float
hand-window 120
inactive 604800
mute-replay-warnings
nobind
ns-cert-type server
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
remote-random
reneg-sec 3600
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4
tun-ipv6
down /etc/openvpn/update-resolv-conf
up /etc/openvpn/update-resolv-conf
key-direction 1
<ca>
-----BEGIN CERTIFICATE---
tun-mtu 1500
fragment 1300
mssfix
cipher AES-256-CBC
ignore-unknown-option ncp-disable # ovpn 2.3 to 2.4 transition
ncp-disable
remote xxxprivacy.com 149
remote xxxprivacy.com 1151
remote xxxperfect-privacy.com 1150
remote xxxperfect-privacy.com 1149
remote xxxperfect-privacy.com 1148
remote xxxperfect-privacy.com 148
remote xxxperfect-privacy.com 151
remote xxxperfect-privacy.com 150
auth SHA512
auth-user-pass /etc/openvpn/password.txt
client
comp-lzo
dev tun
#float
hand-window 120
inactive 604800
mute-replay-warnings
nobind
ns-cert-type server
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
remote-random
reneg-sec 3600
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4
tun-ipv6
down /etc/openvpn/update-resolv-conf
up /etc/openvpn/update-resolv-conf
key-direction 1
<ca>
-----BEGIN CERTIFICATE---