1

I have an OpenVPN server, call it vpn-server, with a LAN 192.168.3.0/24 behind it. The client, vpn-client, also has a LAN behind it, 10.4.0.0/24. Machines on 192.168.3.0/24 can access 10.4.0.0/24 (with one exception). Machines on 10.4.0.0/24 can access 192.168.3.0/24. (Server and client are both Linux based.)

The one exception is that the VPN host itself cannot access 10.4.0.0/24. Someone in #openvpn on irc mentioned that when the openvpn server is connecting to the client network, it uses the the VPN IP, not the local IP, and I should check out my masquerade rules for iptables. My masquerade rules, and the interface config for the related interfaces are at http://pastebin.com/Q9RDy0es .

OpenVPN configuration files, for both server and client, can be found at: http://pastebin.com/gtfm82pE .

I feel like it's a firewall issue on the host side, but I can't seem to get it worked out. Do I need new/different masquerade rules? I'm pretty sure the VPN configurations are correct.

vpn-server routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.54.1.9       *               255.255.255.255 UH    0      0        0 tun1
10.8.1.2        *               255.255.255.255 UH    0      0        0 tun0
<pubIP redacted> *               255.255.255.248 U     0      0        0 eth1
10.18.1.0       10.8.1.2        255.255.255.0   UG    0      0        0 tun0
172.16.20.0     10.54.1.9       255.255.255.0   UG    0      0        0 tun1
192.168.3.0     *               255.255.255.0   U     0      0        0 eth0
10.8.1.0        10.8.1.2        255.255.255.0   UG    0      0        0 tun0
10.54.1.0       10.54.1.9       255.255.255.0   UG    0      0        0 tun1
172.16.30.0     10.54.1.9       255.255.255.0   UG    0      0        0 tun1
10.3.0.0        10.54.1.9       255.255.255.0   UG    0      0        0 tun1
172.16.10.0     *               255.255.255.0   U     0      0        0 vlan4000
10.3.1.0        10.54.1.9       255.255.255.0   UG    0      0        0 tun1
10.4.0.0        10.8.1.2        255.255.0.0     UG    0      0        0 tun0
link-local      *               255.255.0.0     U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         <pubIP redacted> 0.0.0.0         UG    0      0        0 eth1

vpn-server output of iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
FW-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.3.0/24       anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-    prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination            

Chain FW-1-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:7788 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ha-cluster 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootpc 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn 
ACCEPT     tcp  --  sysmon.example.com  anywhere            tcp dpt:nrpe 
ACCEPT     tcp  --  sysmon1.example.com  anywhere            tcp dpt:nrpe 
ACCEPT     udp  --  sysmon1.example.com  anywhere            udp dpt:ntp 
ACCEPT     udp  --  sysmon.examplecom  anywhere            udp dpt:ntp 
ACCEPT     tcp  --  anywhere             anywhere            tcp multiport dports     iax,sip 
ACCEPT     udp  --  anywhere             anywhere            udp multiport dports iax,sip 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-   prohibited
Kendall
  • 1,043
  • 12
  • 24
  • _"Unknown paste ID"_: can you re-upload your config? – quanta Aug 10 '11 at 13:00
  • The traffic from your OpenVPN server will leave on its tun interface. You need to allow the traffic on the OpenVPN server's output rules... -A OUTPUT -d 10.4.0.0/24 -j ACCEPT. You'll also need on INPUT to allow related/established for the return traffic. – user1801810 Jan 11 '17 at 23:20

1 Answers1

0

Remember that when your OpenVPN gateway sources the traffic it will most likely be coming from the openvpn interface itself when it is seen by the client router and its hosts. So you will need to make sure either you have NAT'ed that IP on the openVPN server somehow or the hosts/client seeing the requests having a path back to that IP (which is probably not the same network as your LAN).

If you tcpdump the openvpn interfaces on both sides and then the internal interface on the remote side you will probably see that the issue is either firewall rules related to this different interface IP or routing related to that.

polynomial
  • 3,968
  • 13
  • 24