LARTC - Oct 2004 - Problem with VPN routing from internal network

Hi folks,

I have the two firewalls (Slackware current) in differnt cities connected via
OpenVPN.
I can ping the network behind server firewall from client firewall server.
But how to route/iptable network traffic from the network behind client firewall
to see the netwrok behind server firewall?

Thank you

Remus

Hi!

Correct me if I am wrong, what it looks like to me is this : 


192.168.1.0/24		10.0.0.1	   10.0.0.2	192.168.2.0/24
server net		serverfw  openvpn  clientfw	client net

On the serverfw you need a static route to the client net:
route add net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2

On the client net the other way round:
route add net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1

Firewall must allow all traffic through tun+
And of course must allow traffic coming from the opposite network. 

Hope this helps, 

.peter





On Fri, 8 Oct 2004, Remus wrote:




> Hi folks,
> 
> I have the two firewalls (Slackware current) in differnt cities connected
via OpenVPN.
> I can ping the network behind server firewall from client firewall server.
> But how to route/iptable network traffic from the network behind client
firewall to see the netwrok behind server firewall?
> 
> Thank you
> 
> Remus
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

You are correct Peter.
But that is not enough to have access from client local lan to serevr client 
local lan.
The line below helpped me to fix it:
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 
10.0.0.2

So there is one more problem, how to access from the server local net 
client''s local net?
Any ideas?

And how to shape traffic going via tun0?

At the moment I have htb on eth0 and imq0 to shape in and out traffic?
But what about VPN traffic which goes via tun0?

Thanks

Remus

----- Original Message ----- 
From: "Peter Huetmannsberger" <huetmann@site38.ping.at>
To: <lartc@mailman.ds9a.nl>
Sent: Friday, October 08, 2004 1:44 PM
Subject: Re: [LARTC] Problem with VPN routing from internal network

>
> Hi!
>
> Correct me if I am wrong, what it looks like to me is this :
>
>
> 192.168.1.0/24 10.0.0.1    10.0.0.2 192.168.2.0/24
> server net serverfw  openvpn  clientfw client net
>
> On the serverfw you need a static route to the client net:
> route add net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2
>
> On the client net the other way round:
> route add net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1
>
> Firewall must allow all traffic through tun+
> And of course must allow traffic coming from the opposite network.
>
> Hope this helps,
>
> .peter
>
>
>
>
>
> On Fri, 8 Oct 2004, Remus wrote:
>
>
>
>
>
>> Hi folks,
>>
>> I have the two firewalls (Slackware current) in differnt cities
connected
>> via OpenVPN.
>> I can ping the network behind server firewall from client firewall 
>> server.
>> But how to route/iptable network traffic from the network behind client
>> firewall to see the netwrok behind server firewall?
>>
>> Thank you
>>
>> Remus
>>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

OK. I didn''t know you wanted to NAT the traffic. If you have the
default
gw on your client-net set to the client-gw AND you forward the traffic, 
i.e. set your ip_forward to 1 AND you allow that in your iptables, there 
is no need to NAT the traffic at all. (If you have a static route set to 
your server-net via the tunnel)

I have a similar setup and all I do is:

excerpt from `route -n`
192.168.42.1  0.0.0.0      255.255.255.255 UH  0  0   0 tun0
192.168.42.0  192.168.42.1 255.255.255.0  UG 0   0    0 tun0

Which means the fw fins 192.168.42.1 by looking through the tunnel, and 
the whole network by looking at the far end of the tunnel. 

On the other side it is the exact the same way, except of course turned 
around. 

I saved myself the trouble of having an extra net fo rthe tunnel, I just 
gave the tun0 device the same ipaddress as the internal (i.e. the client) 
network. so it actually looks like this: 

192.168.42.0/24 ---192.168.42.1 ---tunnel---192.168.1.101--192.168.1.0/24
 
This setup has worked very well for me for years, if you see anything 
wrong with it let me know, I am willing to learn. 

As long as packets get forwarded on both gateways there is no need to NAT. 


I can ping any machine from either network, and have samba working for all 
those clients, so it must be reasonable.


As for traffic shaping, I would do the shaping on the internal interface 
(the one pointing to your network behind the fw), there you have control 
of incoming traffic via htb (as the traffic going to the clients is 
outgoing).

I hope all of this is correct. 

Good luck, 

.peter


On Fri, 8 Oct 2004, Remus wrote:
> You are correct Peter.
> But that is not enough to have access from client local lan to serevr
client
> local lan.
> The line below helpped me to fix it:
> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT
--to-source
> 10.0.0.2
> 
> So there is one more problem, how to access from the server local net 
> client''s local net?
> Any ideas?
> 
> And how to shape traffic going via tun0?
> 
> At the moment I have htb on eth0 and imq0 to shape in and out traffic?
> But what about VPN traffic which goes via tun0?
> 
> Thanks
> 
> Remus
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Peter,

I already tried to give the IP from the same network for my tunnel, but 
OpenVPN 2.0b11 just blocks
after that access to firewall via internal IP.
So I gave the different IP space.

My setup is here
Server:

ifconfig
The OpenVPN goes via this Wireless line
eth0      Link encap:Ethernet  HWaddr 00:10:5A:A3:9B:58
          inet addr:1.2.3.4  Bcast:x.x.x.x  Mask:255.255.255.248

Second ADSL line
eth1      Link encap:Ethernet  HWaddr 00:50:DA:3C:D9:7B
          inet addr:2.2.3.4  Bcast:x.x.x.x  Mask:255.255.255.0

Local net
eth2      Link encap:Ethernet  HWaddr 00:04:76:23:43:36
          inet addr:10.105.105.199  Bcast:10.105.105.255  Mask:255.255.255.0

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.10.1  P-t-P:10.10.10.2  Mask:255.255.255.255

Routing table
10.10.10.2      *               255.255.255.255 UH    0      0        0 tun0
2.2.3.x    *               255.255.255.255 UH    0      0        0 eth1
1.2.3.x   *               255.255.255.248 U     0      0        0 eth0
2.2.3.x    *               255.255.255.0   U     0      0        0 eth1
10.10.10.0      10.10.10.2      255.255.255.0   UG    0      0        0 tun0
10.105.105.0    *               255.255.255.0   U     0      0        0 eth2
10.1.1.0        10.10.10.2      255.255.255.0   UG    0      0        0 tun0
loopback        *               255.0.0.0       U     0      0        0 lo
default         2.2.3.x    0.0.0.0         UG    0      0        0 eth1


Client:
ifconfig
# ADSL connection
eth0      Link encap:Ethernet  HWaddr 00:0A:5E:42:9E:88
          inet addr:192.168.0.129  Bcast:192.168.0.255  Mask:255.255.255.0

# Local net
eth1      Link encap:Ethernet  HWaddr 00:0A:5E:48:0A:E3
          inet addr:10.1.1.199  Bcast:10.1.1.255  Mask:255.255.255.0

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.10.6  P-t-P:10.10.10.5  Mask:255.255.255.255

Routing table
10.10.10.5      *               255.255.255.255 UH    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
10.10.10.0      10.10.10.5      255.255.255.0   UG    0      0        0 tun0
10.105.105.0    10.10.10.5      255.255.255.0   UG    0      0        0 tun0
10.1.1.0        *               255.255.255.0   U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    1      0        0 eth0

Iptables rule
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o tun0 -j SNAT --to-source 
10.10.10.6

So the client configuration works fine for me, but how to make access client 
local net from server and server local net?

Thanks

Remus


----- Original Message ----- 
From: "Peter Huetmannsberger" <huetmann@site38.ping.at>
To: <lartc@mailman.ds9a.nl>
Sent: Friday, October 08, 2004 3:28 PM
Subject: Re: [LARTC] Problem with VPN routing from internal network + tun0 
and traffic shaping

>
>
> OK. I didn''t know you wanted to NAT the traffic. If you have the
default
> gw on your client-net set to the client-gw AND you forward the traffic,
> i.e. set your ip_forward to 1 AND you allow that in your iptables, there
> is no need to NAT the traffic at all. (If you have a static route set to
> your server-net via the tunnel)
>
> I have a similar setup and all I do is:
>
> excerpt from `route -n`
> 192.168.42.1  0.0.0.0      255.255.255.255 UH  0  0   0 tun0
> 192.168.42.0  192.168.42.1 255.255.255.0  UG 0   0    0 tun0
>
> Which means the fw fins 192.168.42.1 by looking through the tunnel, and
> the whole network by looking at the far end of the tunnel.
>
> On the other side it is the exact the same way, except of course turned
> around.
>
> I saved myself the trouble of having an extra net fo rthe tunnel, I just
> gave the tun0 device the same ipaddress as the internal (i.e. the client)
> network. so it actually looks like this:
>
> 192.168.42.0/24 ---192.168.42.1 ---tunnel---192.168.1.101--192.168.1.0/24
>
> This setup has worked very well for me for years, if you see anything
> wrong with it let me know, I am willing to learn.
>
> As long as packets get forwarded on both gateways there is no need to NAT.
>
>
> I can ping any machine from either network, and have samba working for all
> those clients, so it must be reasonable.
>
>
> As for traffic shaping, I would do the shaping on the internal interface
> (the one pointing to your network behind the fw), there you have control
> of incoming traffic via htb (as the traffic going to the clients is
> outgoing).
>
> I hope all of this is correct.
>
> Good luck,
>
> .peter
>
>
> On Fri, 8 Oct 2004, Remus wrote:
>
>> You are correct Peter.
>> But that is not enough to have access from client local lan to serevr 
>> client
>> local lan.
>> The line below helpped me to fix it:
>> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j 
>> SNAT --to-source
>> 10.0.0.2
>>
>> So there is one more problem, how to access from the server local net
>> client''s local net?
>> Any ideas?
>>
>> And how to shape traffic going via tun0?
>>
>> At the moment I have htb on eth0 and imq0 to shape in and out traffic?
>> But what about VPN traffic which goes via tun0?
>>
>> Thanks
>>
>> Remus
>>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/