Stefan Schilling
2008-Feb-11 23:15 UTC
OpenVPN traffic will not be routed into network / as DefaultGW traffic ... with 1 NIC
Hello!
I''ve the following set-up
RemoteClient1 (Win Vista), RemoteClient2 (Win XP) do both connect to
my OpenVPN box. They can talk to each other, using their 172.16.1.x
tun0 Address on the server.
The server itself (Ubuntu gutsy, OpenVPN: 2.0.9-8, shorewall:3.4.4-1)
has 1 NIC that connects the machine to
a) a DSL-router (forwards several ports to this linux machine,
including the OpenVPN-port)
b) another WinXP client (192.168.1.10) over that DSL-router
the server''s eth0 interface is 192.168.1.11, the router has
192.168.1.249
The server also has a tun0 interface (172.16.1.1), due to its OpenVPN
capability.
The server can connect to 192.168.1.10, 192.168.1.249 on any port.
RemoteClient1 can connect to RemoteClient2 on any port. The
RemoteClients can also request data from 172.16.1.1 and 192.168.1.11.
However, they can neither connect to 192.168.1.249 or 192.168.1.10 on
any port. Also, they cannot use 172.16.1.1 -> 192.168.1.11 ->
192.168.1.249 as DefaultGW, if that option is given via OpenVPN.
I tried to follow the instructions on
http://www.shorewall.net/OPENVPN.html as well as on
http://www.shorewall.net/VPNBasics.html .
Still, it doesn''t work.
Before using shorewall, I used firehol. There, the following commands
worked; with shorewall they don''t (neither with shorewall running nor
with it being disabled):
## Settings for openVPN:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -i lo -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# for DefaultGW operations of OpenVPN:
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE
stefan@server:/root$ sudo /sbin/shorewall version
3.4.4
stefan@server:/root$ sudo ip addr show
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:01:80:64:be:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.11/24 brd 192.168.1.255 scope global eth0
inet6 fe80::201:80ff:fe64:be5f/64 scope link
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast
qlen 100
link/[65534]
inet 172.16.1.1 peer 172.16.1.2/32 scope global tun0
stefan@server:/root$ sudo ip route show
172.16.1.2 dev tun0 proto kernel scope link src 172.16.1.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.11
172.16.1.0/24 via 172.16.1.2 dev tun0
default via 192.168.1.249 dev eth0 metric 100
stefan@server:/root$
I included a shorewall -dump in the attached file (I tried to zip it,
but the mail was returned by the server ... so it''s not zipped now -
sorry).
Hope you can help me out; please write, if you have any further
questions / requests.
Thanks a lot and have a nice day.
Bye,
Stefan
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2008-Feb-11 23:23 UTC
Re: OpenVPN traffic will not be routed into network / as DefaultGW traffic ... with 1 NIC
Stefan Schilling wrote:> > # for DefaultGW operations of OpenVPN: > iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE >In /etc/shorewall/masq: eth0 172.16.1.0/24 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Stefan Schilling
2008-Feb-12 08:51 UTC
Re: OpenVPN traffic will not be routed into network / as DefaultGW traffic ... with 1 NIC
Hello Tom! -------- Original-Nachricht --------> Datum: Mon, 11 Feb 2008 15:23:24 -0800 > Von: Tom Eastep <teastep@shorewall.net> > An: Stefan Schilling <mail.suse@gmx.de>, Shorewall Users <shorewall-users@lists.sourceforge.net> > Betreff: Re: [Shorewall-users] OpenVPN traffic will not be routed into network / as DefaultGW traffic ... with 1 NIC> Stefan Schilling wrote: > > > > > # for DefaultGW operations of OpenVPN: > > iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE > > > > In /etc/shorewall/masq: > > eth0 172.16.1.0/24Great. That is now working... As my 192.168.1.10 - client is not running right now, I cannot evaluate on that topic. But thanks so far. Greetings from Germany, Stefan -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/