0
I've set up an openvpn server with my raspberry Pi.
local network of this server is 192.168.1.0/24 and box is at 192.168.1.254, pi at 192.168.1.250
A dnsmasq server is present on this raspberry aswell in order to resolve "mycustom.local" for 192.168.1.250 and 10.16.0.1
The aim was to provide 3 networks:
10.16.0.0/24 : "admin" rights : full access, internet,dns are routed to this network, and 192.168.1.0/24 is accessible from this network
10.16.1.0/24 : "normal" rights : only 10.6.1.0/24 should be routed to this network. No internet access, no 192.168.1.0/24 access right
10.16.2.0/24 : "internet" rights : all traffic needs to go to this interface, including dns requests, but no access to 192.168.1.0/24 server side
Everything seems to work, however, when I'm on 10.16.1.0/24, dns requests still goes to the pi. Furthermore, I think dnsmasq is serving all domains..
I would like the pi to :
- resolve only the domain mycustom.domain for 192.168.1.0/24 and 10.16.0.1/24, that means my client would directly call another dns resolver in order to query another domain (but maybe i would be force to tell dnsmasq to follow the request.. to the box ?)
- resolve all queries for 10.16.0.0/24 and 10.16.2.0/24
I don't know why, but i got forced somehow to put a /16 mask for some networks (if my pi could get a 10.16.1.0/24 address when it is linked to a 10.16.1.0/24 client it would solve this problem i guess)
I do have difficulties aswell with my iptables rules even though they are working
here is my openvpn server.conf : Hello, I've set up an openvpn server with my raspberry Pi. local network of this server is 192.168.1.0/24 and box is at 192.168.1.254, pi at 192.168.1.250 A dnsmasq server is present on this raspberry aswell in order to resolve "mycustom.local" for 192.168.1.250 and 10.16.0.1
The aim was to provide 3 networks:
10.16.0.0/24 : "admin" rights : full access, internet, dns are routed to this network, and 192.168.1.0/24 is accessible from this network 10.16.1.0/24 : "normal" rights : only 10.6.1.0/24 should be routed to this network. No internet access, no 192.168.1.0/24 access right next step would be : 10.16.2.0/24 : "internet" rights : all traffic needs to go to this interface, including dns requests, but no access to 192.168.1.0/24 server side
Everything seems to work, however, when I'm on 10.16.1.0/24, dns requests still goes to the pi. Furthermore, I think dnsmasq is serving all domains.. I would like the pi to : - resolve only the domain mycustom.domain for 192.168.1.0/24 and 10.16.0.1/24, that means my client would directly call another dns resolver in order to query another domain (but maybe i would be force to tell dnsmasq to follow the request.. to the box ?) - resolve all queries for 10.16.0.0/24 and 10.16.2.0/24
Here are my problems : I don't know why, but i got forced somehow to put a /16 mask for some networks
I do have difficulties aswell with my iptables rules even though they are working
here is a part of my openvpn server.conf :
dev tun
topology subnet
...
server 10.16.0.0 255.255.0.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 10.16.0.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
#push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
client-config-dir /etc/openvpn/ccd
and inside my /etc/openvpn/ccd : admin_profile_1 :
push "block-outside-dns"
push "redirect-gateway def1"
ifconfig-push 10.16.0.2 255.255.255.0
classic_profile_1 (/24 if pi can get a 10.16.1/24 ip):
ifconfig-push 10.16.1.2 255.255.0.0
and i guess i'll do (/24 if pi can get a 10.16.2/24 ip)
internet_profile_1 :
push "block-outside-dns"
push "redirect-gateway def1"
ifconfig-push 10.16.2.2 255.255.0.0
_
my dnsmasq.conf : everything is default value, i just added :
listen-address=127.0.0.1,192.168.1.250,10.16.0.1
my resolv.conf is auto generated :
nameserver 127.0.0.53
options edns0
my hosts :
127.0.0.1 localhost
10.16.0.1 mycustom.domain
192.168.1.250 mycustom.domain
Now the problem is, when i'm connected as a 10.16.1.0/24 client, dns queries still goes through the vpn. I would like the VPN to only server mycustom.domain for 10.16.1.0/24 client, and other domains would be resolved through client's dns. Thus, i need dnsmasq to serve only mycustom.domain to 10.16.0.1 and, if possible not even forward the other dns request
Finally, here my iptables rules :
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.16.0.0/24 anywhere
I believe I types these 3 commands :
sudo iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1195 -j ACCEPT && sudo iptables -A INPUT -i tun+ -j ACCEPT && sudo iptables -A FORWARD -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.16.0.0/24 -o eth0 -j MASQUERADE && sudo iptables -A OUTPUT -o tun+ -j ACCEPT
but... iptables -L returns only :
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
but somehow it still works
Thank you for your time