[Solved] Redirect-gateway Reroutes Everything to the Servers

[AptQuadruped]

Hello, I successfully installed an set up openvpn on my VPS (openvz). However, I am having great difficulties with routing all traffic through the server with my clients. When I do so I am able to connect to the server just fine. I can even ssh to the server through the tunnel. However, when I try to ping or connect to ANY IP address it sends the request straight to my openvpn server. Even if the IP is invalid, I will get a reply. However, the reply is from my server. Trying to ssh to 12.435.4.45? It will ssh to my server. So I ask, what am I doing wrong with my configuration? Thank you very much! (OpenVz VPS = no masquerade for iptables)

iptables...

Code: Select all

iptables -F
iptables -P INPUT ACCEPT
# OpenVPN redirect gateway routing...
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o venet0 -j ACCEPT
# End OpenVPN
#trust loopback connections
iptables -A INPUT -i lo -j ACCEPT
#trust established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow icmp
iptables -A INPUT -p icmp -m icmp -j ACCEPT
export WAN=venet0
iptables -I INPUT 1 -i lo -j ACCEPT
# SSH
iptables -A INPUT -p TCP --dport 443 -i ${WAN} -j ACCEPT
# OpenVPN (uses the default http port to bypass most firewalls)
iptables -A INPUT -p UDP --dport 80 -i ${WAN} -j ACCEPT
iptables -A INPUT -p all -j REJECT
# OpenVPN (can't use masquerade because of openvz)
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to 63.141.254.19

OpenVPN (server)

Code: Select all

port 80
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/daft.crt
key /etc/openvpn/keys/daft.key
dh /etc/openvpn/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
server 10.8.1.0 255.255.255.0
push "route 10.8.1.0 255.255.255.0"
push "dhcp-option DNS 4.2.2.2"
push "dhcp-option DNS 4.2.2.3"
keepalive 10 120
client-to-client
comp-lzo
ping-timer-rem
persist-key
persist-tun
status /var/log/openvpn.log
verb 3

[maikcat]

hi there,

if you want to redirect all traffic through vpn you must add this to server config

push "redirect-gateway def1"

and also remove from server config

>push "route 10.8.1.0 255.255.255.0"

and try again

Michael.

[AptQuadruped]

Thanks for the reply. However, I have modified the server configuration as you specified, and I am still getting all requests being sent to the OpenVPN server.

[Bebop]

I found an error in your iptables which will need fixing before your setup works.

change your

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to 63.141.254.19

to

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 63.141.254.19

Remember to execute your iptables shell script again after you make the change.

So considering maikcat's advice plus this iptables fix I'm showing you.. I dare say your issue will be solved.

If you are interested though I can explain why you saw such strange behavior, eg: reply ping 12.433.3.4:

The reason is because your "--to" rule was rewriting "12.433.3.4" to "63.141.254.19" (you see the destination changed, but what you really want is the source to change). So of course your server was replying because your server thought that all packets were to "63.141.254.19". The lesson here: IPTABLES is such a powerful tool. Such a small change as --to or --to-source can make all the difference in system behavior.

[AptQuadruped]

Thank you very much for the information. However, I am still having the same issue after altering my iptables configuration with the --to-source in place of --to along with the openvpn server config. Any other ideas?

[Bebop]

post output from>: iptables -L -v

[AptQuadruped]

Output from iptables -L -v...

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere            
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
   31  2332 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any 
    0     0 ACCEPT     tcp  --  venet0 any     anywhere             anywhere            tcp dpt:https 
    0     0 ACCEPT     udp  --  venet0 any     anywhere             anywhere            udp dpt:www 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT 43 packets, 2580 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun+   venet0  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 23025 packets, 2670K bytes)
 pkts bytes target     prot opt in     out     source               destination

[Bebop]

Output from iptables -L -v

Thank you. I couldn't see what I was looking for there. Are you still stuck?

--to changed to --to-source should have fixed the issue I would have thought. After making the change, did you execute the bash script to commit the change to IPTABLES?

Also see if this helps:

Code: Select all

 iptables -F
 iptables -t nat -F
 iptables -t mangle -F

I know you have iptables -F already, but to my knowledge its not a full flush of all rules.

[AptQuadruped]

Thank you very much! Flushing nat and mangle in iptables appears to have everything working now.

[Bebop]

Well done, and good on you for persisting. Solved / closed.