Page 1 of 1
Simple "roadwarrior" VPN
Posted: Mon Apr 11, 2011 8:56 pm
by briankb
Hello, I am trying to set up a typical roadwarrior-style VPN. I would like my Openvpn client device to send all its traffic through my home network. My client and server can already connect, now I just need to configure tunneling/routing.
My ISP (Verizon fios) requires me to use thier router. I have forwarded port 31194 for openvpn on that router. I have connected a switch to that router and installed Openvpn on it. This switch is just a DD-WRT router with the wan port disabled. My Openvpn client is a Droid running Cyanogenmod 7. It can connect to the Openvpn server locally and remotely. I can confirm this by doing "tcpdump -i tun0" on the server. It shows the connection requests coming from the client.
The router IP is 192.168.1.1, and the Openvpn server IP is 192.168.1.129.
Server config:
Code: Select all
dev tun
server 192.168.5.0 255.255.255.0
port 31194
dh dh2048.pem
ca ca.crt
cert belkin-play.crt
key belkin-play.key
script-security 2
push "route 192.168.1.0 255.255.255.0"
user nobody
group nobody
persist-tun
persist-key
keepalive 10 60
Client config:
Code: Select all
client
remote dyndns.example.com 31194 udp
dev tun
tls-client
ca ca.crt
cert client.crt
key client.key
keepalive 10 60
redirect-gateway
Here is the server's route table:
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.5.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.5.0 192.168.5.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 br0
Also, IP forwarding is enabled:
Code: Select all
# cat /proc/sys/net/ipv4/ip_forward
1
Re: Simple "roadwarrior" VPN
Posted: Mon Apr 11, 2011 9:00 pm
by janjust
add
Code: Select all
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
to the DD-WRT router. This will ensure that all traffic will appear to come from the dd-wrt router (and hence your Verizon router).
Re: Simple "roadwarrior" VPN
Posted: Mon Apr 11, 2011 9:18 pm
by briankb
@janjust Thanks for your quick response
That did not seem to have any effect. Here is the output of tcpdump as I attempt to ping 8.8.8.8 from the client. No responses were received by the client. Then I list the iptable rules:
Code: Select all
# iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 68 bytes
22:15:16.511755 IP 192.168.5.6 > google-public-dns-a.google.com: ICMP echo request, id 10847, seq 1, length 64
22:15:17.502545 IP 192.168.5.6 > google-public-dns-a.google.com: ICMP echo request, id 10847, seq 2, length 64
22:15:18.503380 IP 192.168.5.6 > google-public-dns-a.google.com: ICMP echo request, id 10847, seq 3, length 64
22:15:19.503901 IP 192.168.5.6 > google-public-dns-a.google.com: ICMP echo request, id 10847, seq 4, length 64
22:15:20.504073 IP 192.168.5.6 > google-public-dns-a.google.com: ICMP echo request, id 10847, seq 5, length 64
22:15:21.505981 IP 192.168.5.6 > google-public-dns-a.google.com: ICMP echo request, id 10847, seq 6, length 64
6 packets captured
6 packets received by filter
0 packets dropped by kernel
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain bruteprotect (0 references)
target prot opt source destination
0 -- anywhere anywhere recent: SET name: BRUTEFORCE side: source
RETURN 0 -- anywhere anywhere !recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source
LOG 0 -- anywhere anywhere LOG level warning tcp-options ip-options prefix `[DROP BRUTEFORCE] : '
DROP 0 -- anywhere anywhere
Chain grp_1 (0 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain invalid (2 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `[DROP INVALID WAN] : '
DROP 0 -- anywhere anywhere
Chain lan2wan (0 references)
target prot opt source destination
Chain logaccept (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
Chain trigger_out (0 references)
target prot opt source destination
Re: Simple "roadwarrior" VPN
Posted: Mon Apr 11, 2011 9:23 pm
by janjust
just to make sure:
* flush the existing iptables rules (iptables -F)
* post the output of 'iptables -t nat -L -n -v'
* is 'eth0' indeed the outgoing interface on the dd-wrt box connected to the verizon router?
Re: Simple "roadwarrior" VPN
Posted: Mon Apr 11, 2011 9:53 pm
by briankb
Ok, this is immediately after a fresh reboot:
Code: Select all
# iptables -F
# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 13 packets, 1691 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7 packets, 520 bytes)
pkts bytes target prot opt in out source destination
6 593 MASQUERADE 0 -- * br0 192.168.1.0/24 192.168.1.0/24
Chain OUTPUT (policy ACCEPT 13 packets, 1113 bytes)
pkts bytes target prot opt in out source destination
janjust wrote:* is 'eth0' indeed the outgoing interface on the dd-wrt box connected to the verizon router?
It might be br0? I'm still new to linux, but I think that means its a bridged adapter. Shrug. Here's ifconfig:
Code: Select all
# ifconfig
br0 Link encap:Ethernet HWaddr 94:44:52:1A:D4:BF
inet addr:192.168.1.129 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:5455 errors:0 dropped:0 overruns:0 frame:0
TX packets:723 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:485642 (474.2 KiB) TX bytes:82959 (81.0 KiB)
br0:0 Link encap:Ethernet HWaddr 94:44:52:1A:D4:BF
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr 94:44:52:1A:D4:BF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5545 errors:2 dropped:0 overruns:0 frame:1
TX packets:5529 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:622258 (607.6 KiB) TX bytes:607238 (593.0 KiB)
Interrupt:4 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 94:44:52:1A:D4:C1
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:3 Base address:0x1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:125 errors:0 dropped:0 overruns:0 frame:0
TX packets:125 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9468 (9.2 KiB) TX bytes:9468 (9.2 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.5.1 P-t-P:192.168.5.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1656 (1.6 KiB) TX bytes:0 (0.0 B)
vlan1 Link encap:Ethernet HWaddr 94:44:52:1A:D4:BF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5540 errors:0 dropped:0 overruns:0 frame:0
TX packets:723 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:521631 (509.4 KiB) TX bytes:85851 (83.8 KiB)
vlan2 Link encap:Ethernet HWaddr 94:44:52:1A:D4:BF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:4806 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:817 (817.0 B) TX bytes:521387 (509.1 KiB)
Re: Simple "roadwarrior" VPN
Posted: Mon Apr 11, 2011 10:02 pm
by janjust
ah yes, it's a DD-WRT box : yes it would be the br0 port. Try adding a rule like
Code: Select all
iptables -t nat -I POSTROUTING -o br0 -j MASQUERADE
Re: Simple "roadwarrior" VPN
Posted: Mon Apr 11, 2011 10:08 pm
by briankb
janjust wrote:ah yes, it's a DD-WRT box : yes it would be the br0 port. Try adding a rule like
Code: Select all
iptables -t nat -I POSTROUTING -o br0 -j MASQUERADE
My hat is off to you sir, it now appears to be working