Michael Johannes
2014-Jan-16 14:21 UTC
Using shorewall masq (SNAT) to masquerade wifi to lan connection
Hi Tom, I'm close to having a working setup in the office using Shorewall, Openvpn on Ubuntu Linux. Right now I have a VPN endpoint to a hosting provider with IP 216.111.xxx.12. I can connect to it via SSH and OpenVPN just fine. My Setup: Server (Linux - Shorewall, OpenVPN) External IP: 216.111.xxx.12 (eth0) OpenVPN Server: 172.20.15.1 (tun0) Private Subnet at Hosting Provider: 172.20.16.0/24 Client (Linux - Shorewall, OpenVPN) 192.168.10.41 (routing server) or my workstation IP: 192.168.10.100 One physical interface (eth0 - 192.168.10.41) One tunnel interface (tun0 - 172.20.15.14) Corporate network: 192.168.10.0/24 Corporate WiFi: 172.17.10.0/24 When I'm in the office, I have a 'routing server' that is also an OpenVPN client to the server with IP 192.168.10.41. From this server in the office I can ping the private subnet at the hosting provider. If I add routes from my workstation to VPN server at my hosting provider, I can connect without issue: route add 172.20.16.0 mask 255.255.255.0 192.168.10.41 OK! I can also directly connect using OpenVPN from my workstation. This works as expected. But when I'm my WiFi network in the office on 172.17.10.0/24, and add the same route to the private subnet across the OpenVPN tunnel, I cannot get a response back from the server. I believe the packets are making it there, but there's no way for them to route back. If I connect directly from my workstation on the WiFi network, it works, but I want others in the office to be able to reach the destination either on the corporate network on the WiFi network. I've tried various lines in my masq file on the routing server in the office to see if I can masquerade my wifi network as the corporate but I cannot get a response back. I'm wondering now if I'm messing up the correct location to add the masq entry - as in, it should be at the server itself at the hosting provider, not the routing server here in the office? tun0 - 172.17.10.0/24 192.168.10.41 Is there a way I can masq my wifi connection as the corporate LAN connection? I thought the above line would work but it' Thank you kindly for your time. Mike. ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk