2
I have a KVM virtual machine which is acting as a VPN gateway to a network of other virtual (and eventually physical) machines. I have my hypervisor set up with a tap for each machine and a bridge to connect them so they all share the same subnet and can communicate with each other. Now, I need the VPN gateway to forward packets from its tap interface to the rest of the network.
For sake of example, let's say the VPN subnet is 192.168.15.0/24, and the virtual machine subnet is 192.168.10.0/24. The VPN gateway sits at 192.168.15.1 and an example remote computer has address 192.168.15.5. I would think that setting a static route on the remote computer with ip route add 192.168.10.0/24 via 192.168.15.1 dev <tap device> would get the packets redirected to the VPN gateway, and then having an iptables rule like iptables -A FORWARD -s 192.168.15.0/24 -d 192.168.10.0/24 -j ACCEPT on the VPN gateway would allow packets to reach their destination as long as ip_forward is enabled. I can show that packets are arriving from a remote computer to the gateway, but ping 192.168.10.5 from the remote computer returns: From 192.168.10.5 icmp_seq=1 Destination Net Unknown.
Any thoughts on how to resolve this?
Edit 1: The remote computer has an appropriate route to the gateway via the VPN.
PyroAVR
Posted 2018-09-30T21:25:22.940
Reputation: 131
Does the remote computer itself have a route for this network through the VPN? – user1686 – 2018-09-30T21:52:38.807
@grawity yes it does! I'll add that to the description. – PyroAVR – 2018-09-30T22:53:00.000
Does iptables on the VPN gateway have any other rules in the FORWARD chain? – user1686 – 2018-10-01T04:50:01.870
@grawity no, here's the content:
`Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination ` – PyroAVR – 2018-10-02T03:56:48.830