Separate subnet behind VPN/FW

louarn · Post by **louarn** » Fri Dec 16, 2022 9:52 am

Hi all

Hi there,

I come back to a problem encountered a few months ago but with a change compared to the time.

I have a VPN server (v 2.4.7-1), which can be reached from anywhere on the internet (XXX.XXX.XXX.XXX on eth0). This also serves as a firewall. Because there is indeed a network behind it. Actually two networks. One in 192.168.0.0/24 (on eth1) for the production machines and one in 192.168.10.0/24 for the development, test and qualify machines (on eth1:1 of the fw).
I created several routes on the VPN and put some iptables rules to filter users according to their status and therefore the machines they are allowed to join. Developers should never be able to reach production servers.

Here is my server conf and below, the vpn configuration file for two clients, a prod and a dev.

Code: Select all

local XXX.XXX.XXX.XXX
port 1194
proto tcp
dev tun

# Misc
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
status /var/log/openvpn/status.log
verb 5
tcp-queue-limit 256

# Openvpn certs
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
cipher AES-256-CBC
crl-verify crl.pem

# Network
topology subnet
mode server
server 10.8.0.0 255.255.255.0
#ifconfig-pool-persist ipp.txt
keepalive 10 120

### DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.222.22"
push "dhcp-option DNS 192.168.0.94"
push "redirect-gateway def1 bypass-dhcp"

### Clients
client-config-dir /etc/openvpn/ccd
###### prod
route 10.8.1.0 255.255.255.0
###### dev
route 10.8.2.0 255.255.255.0

### Private network
client-to-client
#push "route 192.168.0.0 255.255.255.0"
#push "route 192.168.10.0 255.255.255.0"

Prod and dev User conf:

Code: Select all

client
dev tun
proto tcp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
verb 5
mssfix 1420
<ca>
</ca>
<cert>
</key>
<tls-crypt>
</tls-crypt>

And in ccc/
prod_user:

Code: Select all

ifconfig-push 10.8.1.10 255.255.0.0
iroute 192.168.0.0 255.255.255.0
iroute 192.168.10.0 255.255.255.0

I tried : ifconfig-push 10.8.1.10 10.8.1.11 but it doesn't work. (It waits for TUN/TAP Adapter for ages)

dev_user:

Code: Select all

ifconfig-push 10.8.2.10 255.255.0.0
iroute 192.168.10.0 255.255.255.0

In my iptables rules :

Code: Select all


#openVpn
iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -s 10.8.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i tun+ -s 10.8.1.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i tun+ -s 10.8.2.0/24 -d 192.168.10.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.2.0/24 -o eth0 -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

and my firewall routes:

Code: Select all

default via XXX.XXX.XXX.XXX dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.8.1.0/24 via 10.8.0.2 dev tun0
10.8.2.0/24 via 10.8.0.2 dev tun0
XXX.XXX.XXX.XXX dev eth0 scope link
169.254.169.254 via 192.168.0.6 dev eth1
192.168.0.0/24 via 192.168.0.10 dev eth1 scope link
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.10
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.10

Unfortunately, that doesn't work. With both users, I can ping the internal IP of the firewall (192.168.0.10 on eth1), but I can never join the production network or the dev network. Can someone tell me where it's stuck?