3

I have network setup as shown below: network

The VPN server running is windows 2012 server default VPN, which uses GRE protocol. I am able to have VPN connection to that remote vpn server, from my intranet single IP only. But I am not able to connect for range of intranet IP 172.16.14.0/24. The problem is with linux router, which is doing NAT. My iptable for nat table looks like this for working vpn connection (for single IP), allowing gre protocol:

 iptables -I PREROUTING -t nat -p 47 --src 202.xx.yy.abc  -j DNAT --to-destination 172.16.14.15
 iptables -I POSTROUTING -p 47 -t nat --src 172.16.14.15  -j SNAT --to-source 202.xx.yy.zz
 iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE 
 iptables -A INPUT -p 47 -j ACCEPT

This rule works fine for single IP 172.16.14.15. How can I make this works for whole 172.16.14.0/24 range so that I can have VPN connection to the remote VPN server ?

Shyamkkhadka
  • 191
  • 1
  • 12

3 Answers3

4

I found the solution.

I did this:

 sysctl -w net.netfilter.nf_conntrack_helper=1

Then add

modprobe ip_nat_pptp

I was using Ubuntu 18.04.2 LTS, kernel version 4.15.0-45-generic. There was no need to do anything related with GRE protocol inside iptables PREROUTING, POSTROUTING tables. Adding just above two lines worked.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Shyamkkhadka
  • 191
  • 1
  • 12
1

Did you load nf_nat_proto_gre kernel module? If you do so the first two lines will likely not be needed anymore.

Tomek
  • 2,950
  • 1
  • 15
  • 9
0

GRE does not have any concept of a "port" like UDP and TCP protocols. The only mapping information any NAT device can utilize is the source and/or destination IP address of the packets.

To achieve what you are wanting to do, you would either need to have a public /24 network provisioned on your WAN link and then create individual GRE NAT mappings between each public IP address to each internal IP address. Alternatively, you could have a single address provisioned on your WAN interface but instead have the VPN provider give you several public IPv4 addresses for connecting to their service. In one case, the NAT mapping is keyed off destination address of the GRE packets and in the other case the NAT mapping is keyed off the source address. Either of these methods will work.

It is highly likely that you only have a single WAN address, and the VPN provider also only has a single address, which means you can only create a single NAT mapping to one internal host for any GRE traffic.

parkamark
  • 1,118
  • 6
  • 11
  • Yes, as you said I have only a single WAN address, VPN provider also has a single address. But I have lots of local LAN IP, which is done NAT with eth2 public IP while going to internet. I can't have public /24 network provisioned in my WAN link. What might be the best solution in this case ? – Shyamkkhadka Nov 22 '18 at 14:51