[Ubuntu] advanced vpn / routing / iptables help please

[RabbieBurns]

Ive got an ubuntu box that is an OpenVPN client which is connected to an openVPN server. It is set to redirect the gateway so all internet traffic goes through the VPN.

From this client I can ping all the other remote clients on the other network, so that part is all set up and configured correctly.

What I would like to achieve now though, is to have a couple of other local clients at this end, to use the local ubuntu box as its gateway, and so each of these clients will be able to ping the remote clients, and will have their internet traffic through the VPN.

Im just not sure what I should be configuring on the local ubuntu box to allow it to act as a router to handle the other local client traffic..

Any help or pointers in the right direction would be much appreciated please

[CyberNerd]

you need to set IP forwarding. check if it is on

Code:

cat /proc/sys/net/ipv4/ip_forward

1 is on 0 is off

uncomment here
/etc/sysctl.conf

I'd look at shorewall as an easy interface for using iptables

have to go out so cant finish the post. sorry

[RabbieBurns]

Ip forwarding is enabled already.

Here are the commands i have tried so far:

Code:

   12  iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
   15  iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
   34  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   35  iptables -A FORWARD -i eth0 -o tun0 -m state     --state RELATED,ESTABLISHED -j ACCEPT
   36  iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT

here is the current routing table

Code:

10.8.0.5 dev tun0  proto kernel  scope link  src 10.8.0.6
10.8.0.1 via 10.8.0.5 dev tun0
78.1.2.3 via 192.168.3.1 dev eth0
192.168.3.0/24 dev eth0  proto kernel  scope link  src 192.168.3.50
192.168.2.0/24 via 10.8.0.5 dev tun0
10.8.0.0/24 via 10.8.0.5 dev tun0
0.0.0.0/1 via 10.8.0.5 dev tun0
128.0.0.0/1 via 10.8.0.5 dev tun0
default via 192.168.3.1 dev eth0  metric 100

works fine from the local machine but i just dunno how to make it so other local hosts can use the vpn link..

Problem is i dont really know what im meant to be setting so an easy interface or command line doesnt really make a difference i dont think as im not sure what to set

[RabbieBurns]

i can ping 10.8.0.6 but not 10.8.0.5...

[glennda]

do you not need to set a route on the other machines to that 10.8.0.0 subnet xx.xx.x.xx goes to the box - otherwise they will be trying to go out through there default gateway surely?

[dhicks]

Im just not sure what I should be configuring on the local ubuntu box to allow it to act as a router to handle the other local client traffic..

I'm sorting out my home router this weekend (I need something with more than 4 network points so I can plug in my Raspberry Pi when it turns up), and I currently have a Debian Squeeze machine with two interfaces (eth0, a standard network port, and eth1, which is connected to a PPPoE modem which is connected directly to the ADSL line) with the following in /etc/rc.local:

Code:

# Start from scratch - flush any previous IPTables rules.
# To test IPTables rules we can simply re-run this script,
# we don't have to reboot the whole machine.
iptables -t filter --flush
iptables -t nat --flush

# Make sure that IP forwarding is enabled. I /think/ this is needed to get
# the FORWARD rules below working. No, I don't know why either...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Network connections:
# eth0 - 10.0.0.9, the internal connection.
# ppp0 - 83.67.26.200, the external connection. Connected to eth1 in some
# myserious fashion that I'm not too clear on.
# Note: ppp0 is a PPPoE connection, an ethernet connection connected directly
# to The Internet, it's not an IP connection to another NAT-ing router.

# Forward all established and related connections - i.e. if an HTTPS connection
# has been initiated from inside the firewall, then traffic coming the other
# way in reply to it is okay. This is a feature of stateful packet filtering,
# seemingly. NOTE: You might want to remove this bit, it simply allows everything
# through from your internal network.
iptables -t filter -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Forward incoming traffic on various ports to specific internal locations.
# This is the port forwading part of your average router.
# Forward HTTP (web - SquirrelMail) to DHEMAIL001:
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 80 -j DNAT --to 10.0.0.7:80
iptables -A FORWARD -p tcp -m state --state NEW -d 10.0.0.7 --dport 80 -j ACCEPT
# Important bit: this line handles getting the return traffic from all the above
# rules back to the initiating request.
iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0

# Forward any internal traffic on port 443 (HTTPS) to the Internet, i.e. any
# HTTPS request from our internal network gets passed out to the Internet
# with no questions asked. Add further outgoing ports here. You might also
# need to add specific websites here - some websites that use cookie-based
# authetication for user accounts don't handle being cached/filtered very
# well, so simply add them (or their IP address) in here. Bear in mind that
# this misses out the filtering for that specific website, so make sure that
# the whole website is okay before you set this.
# NOTE: Added HTTP just for the moment, remove here and add redirect rule below.
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

# Deal with data coming in from the Internet - shove it through NAT so it knows
# where to go in our internal network.
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source 83.67.26.200

The above works, I currently have a working Internet connection, and I'm planning to add a rule to forward HTTP traffic through a Squid proxy running on a virtual machine. The above has been put together largly by trial and error over several years and seems to work, although it might need some refining.

[RabbieBurns]

Edit: got it working thanks!!

Added the whole port range instead of just http

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 1:65535 -j ACCEPT

and its working great

[RabbieBurns]

Ive got the client -> remote server VPN working, and using the client as the default gateway I can now get all local subnet to ping the entire remote subnet and beyond.

My questin is if I want to do the reverse, and have the remote subnet be able to ping this one, do I need to set up another client-server VPN session coming the other way, or can I use the existing VPN tunnel?

The routing table on the remote is this:

Code:

root@linux:~# ip route show
default via 192.168.2.1 dev eth0  metric 100
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.49

Can this be achieved by just adding some more static routes?

[RabbieBurns]

Note to self:

Code:

120  iptables -t filter -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  121  iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
  122  iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
  123  iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT
  124  iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.8.0.5
  136  iptables -t filter -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  137  iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
  141  iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.8.0.6
   143  iptables -t filter -A FORWARD -i eth0 -p tcp --dport 1:65535 -j ACCEPT