You are not logged in.
Hi folks -
This isn't an Arch problem, but I'm hoping there are some folks with OpenVPN experience...
I've got a real subnet (141.213.125.0/25) at home, tunneling through OpenVPN over the Internet to work where another OpenVPN is directly connected to our core with a /30. I've got a static route set on the Cisco pointing 141.213.125.0/25 to the OpenVPN server at work.
The subnet at home works fine, I can get in and out through the tunnel. What's not working is trying to get to things from the client OpenVPN server itself. There is some routing subtlety that I'm not getting...
Server (one nic, IP 141.213.125.130/30):
Destination Gateway Genmask Flags MSS Window irtt Iface
10.213.125.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
141.213.125.128 0.0.0.0 255.255.255.252 U 0 0 0 eth0
141.213.125.0 10.213.125.2 255.255.255.128 UG 0 0 0 tun0
0.0.0.0 141.213.125.129 0.0.0.0 UG 0 0 0 eth0
OpenVPN server.conf:
proto udp
port 1194
dev tun
tls-server
mode p2p
topology p2p
ca ./certs/ca.crt
cert ./certs/work-gw.crt
key ./certs/work-gw.key
dh ./certs/dh1024.pem
ifconfig 10.213.125.1 10.213.125.2
verb 5
user nobody
group nobody
chroot /etc/openvpn/
persist-tun
persist-key
route 141.213.125.0 255.255.255.128
push "redirect-gateway def1"
keepalive 10 60
redirect-gateway def1
float
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Client (2 nics, one for local and one behind NAT to the Internet):
Destination Gateway Genmask Flags MSS Window irtt Iface
141.213.125.130 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
10.213.125.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
141.213.125.0 0.0.0.0 255.255.255.128 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 10.213.125.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.213.125.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
OpenVPN client.conf:
remote 141.213.125.130
proto udp
port 1194
dev tun
mode p2p
tls-client
client
ifconfig 10.213.125.2 10.213.125.1
ca ./certs/ca.crt
cert ./certs/home-gw.crt
key ./certs/home-gw.key
verb 5
user nobody
group nobody
chroot /etc/openvpn/
persist-tun
persist-key
remote-cert-tls server
redirect-gateway def1
keepalive 10 60
Iptables:
Chain INPUT (policy DROP 12 packets, 936 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
6 468 ACCEPT all -- eth1 any anywhere anywhere
764 103K ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
554 42509 ACCEPT all -- tun+ any anywhere anywhere
Chain FORWARD (policy ACCEPT 38 packets, 1664 bytes)
pkts bytes target prot opt in out source destination
71 4241 ACCEPT all -- tun+ any anywhere anywhere
Chain OUTPUT (policy ACCEPT 1042 packets, 149K bytes)
pkts bytes target prot opt in out source destination
Any suggestions? The client OpenVPN server machine can't get to any Internet destination (i.e. Pacman repos for updates, NTP servers, etc.) Thanks for any help!
RK
Last edited by rklingsten (2009-09-09 19:10:40)
Offline
Aha, I see what is happening... packets that are sourcing from the client machine itself are trying to leave the box via tun0 with a source address of 10.213.125.2 which of course will never work (packets can't come back.)
What have I got to do to get this to work? Is this an iptables mangling thing? I was thinking something like adding a few rules to the OUTPUT table - the first rule to match UDP 1194 for OpenVPN and just accept those, and then another rule to mangle anything else and give them a source address of 141.213.125.1 which is the other NIC on this box.
Or is this a route table thing?
Suggestions? Advice?
thanks!
Rob K
Offline
Now I've got it working! I had to add:
-A POSTROUTING -o tun0 -j SNAT --to-source 141.213.125.1
Works great now. Hopefully this will be of use to someone else.
thanks!
Rob K
Offline