- Posts: 301
- Thank you received: 3
OpenVPN NAT and some iptables
12 years 10 months ago #37732
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
OpenVPN NAT and some iptables was created by Bublitz
Ok I have a multi site-to-site OpenVPN setup. I got this working in a test environment and for some reason am having trouble in our rackspace environment.
Here's what is working.
Both client networks can ping the Openvpn Server running Fedora core 15. So the tunnels are up and running. So my config files are good I feel. The openvpn server can also ping the client networks.
Here's whats not working
The windows server on the openvpn server side cannot connect to the networks. I have routes defined on the windows server that any traffic that needs to go to the client networks goes to the openvpn server LAN interface.
The only difference in this setup from the test environment is that the openvpn server is directly connected to the internet. Before It had a single interface so a router did the firewall/nat. So i'm going to make the assumption that I have iptables/nat messed up. Do I need to use nat when sending traffic though an openvpn tunnel? Or does the tunnel interface package the packets up and send it down the tunnel as it self?
Code:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1195 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
For nat i've tried. eth0 is Public, eth1 is Private
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I assume i'm missing something although this config for iptables worked in the test environment...
I've also enabled ipforwarding on the openvpn server. My knowledge of iptables is weak and I assume I don't have the NAT correct.
Here's what is working.
Both client networks can ping the Openvpn Server running Fedora core 15. So the tunnels are up and running. So my config files are good I feel. The openvpn server can also ping the client networks.
Here's whats not working
The windows server on the openvpn server side cannot connect to the networks. I have routes defined on the windows server that any traffic that needs to go to the client networks goes to the openvpn server LAN interface.
The only difference in this setup from the test environment is that the openvpn server is directly connected to the internet. Before It had a single interface so a router did the firewall/nat. So i'm going to make the assumption that I have iptables/nat messed up. Do I need to use nat when sending traffic though an openvpn tunnel? Or does the tunnel interface package the packets up and send it down the tunnel as it self?
Code:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1195 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
For nat i've tried. eth0 is Public, eth1 is Private
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I assume i'm missing something although this config for iptables worked in the test environment...
I've also enabled ipforwarding on the openvpn server. My knowledge of iptables is weak and I assume I don't have the NAT correct.
The Bublitz
Systems Admin
Hospice of the Red River Valley
Time to create page: 0.109 seconds