+ Post New Thread
Results 1 to 9 of 9
*nix Thread, advanced vpn / routing / iptables help please in Technical; Ive got an ubuntu box that is an OpenVPN client which is connected to an openVPN server. It is set ...
  1. #1

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199

    advanced vpn / routing / iptables help please

    Ive got an ubuntu box that is an OpenVPN client which is connected to an openVPN server. It is set to redirect the gateway so all internet traffic goes through the VPN.

    From this client I can ping all the other remote clients on the other network, so that part is all set up and configured correctly.

    What I would like to achieve now though, is to have a couple of other local clients at this end, to use the local ubuntu box as its gateway, and so each of these clients will be able to ping the remote clients, and will have their internet traffic through the VPN.

    Im just not sure what I should be configuring on the local ubuntu box to allow it to act as a router to handle the other local client traffic..

    Any help or pointers in the right direction would be much appreciated please

  2. #2


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    you need to set IP forwarding. check if it is on
    Code:
    cat /proc/sys/net/ipv4/ip_forward
    1 is on 0 is off

    uncomment here
    /etc/sysctl.conf

    I'd look at shorewall as an easy interface for using iptables

    have to go out so cant finish the post. sorry

  3. #3

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Ip forwarding is enabled already.

    Here are the commands i have tried so far:

    Code:
       12  iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
       15  iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
       34  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
       35  iptables -A FORWARD -i eth0 -o tun0 -m state     --state RELATED,ESTABLISHED -j ACCEPT
       36  iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
    here is the current routing table

    Code:
    10.8.0.5 dev tun0  proto kernel  scope link  src 10.8.0.6
    10.8.0.1 via 10.8.0.5 dev tun0
    78.1.2.3 via 192.168.3.1 dev eth0
    192.168.3.0/24 dev eth0  proto kernel  scope link  src 192.168.3.50
    192.168.2.0/24 via 10.8.0.5 dev tun0
    10.8.0.0/24 via 10.8.0.5 dev tun0
    0.0.0.0/1 via 10.8.0.5 dev tun0
    128.0.0.0/1 via 10.8.0.5 dev tun0
    default via 192.168.3.1 dev eth0  metric 100
    works fine from the local machine but i just dunno how to make it so other local hosts can use the vpn link..

    Problem is i dont really know what im meant to be setting so an easy interface or command line doesnt really make a difference i dont think as im not sure what to set

  4. #4

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    i can ping 10.8.0.6 but not 10.8.0.5...

  5. #5

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,808
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    do you not need to set a route on the other machines to that 10.8.0.0 subnet xx.xx.x.xx goes to the box - otherwise they will be trying to go out through there default gateway surely?

  6. #6

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    Quote Originally Posted by RabbieBurns View Post
    Im just not sure what I should be configuring on the local ubuntu box to allow it to act as a router to handle the other local client traffic..
    I'm sorting out my home router this weekend (I need something with more than 4 network points so I can plug in my Raspberry Pi when it turns up), and I currently have a Debian Squeeze machine with two interfaces (eth0, a standard network port, and eth1, which is connected to a PPPoE modem which is connected directly to the ADSL line) with the following in /etc/rc.local:

    Code:
    # Start from scratch - flush any previous IPTables rules.
    # To test IPTables rules we can simply re-run this script,
    # we don't have to reboot the whole machine.
    iptables -t filter --flush
    iptables -t nat --flush
    
    # Make sure that IP forwarding is enabled. I /think/ this is needed to get
    # the FORWARD rules below working. No, I don't know why either...
    echo "1" > /proc/sys/net/ipv4/ip_forward
    
    # Network connections:
    # eth0 - 10.0.0.9, the internal connection.
    # ppp0 - 83.67.26.200, the external connection. Connected to eth1 in some
    # myserious fashion that I'm not too clear on.
    # Note: ppp0 is a PPPoE connection, an ethernet connection connected directly
    # to The Internet, it's not an IP connection to another NAT-ing router.
    
    # Forward all established and related connections - i.e. if an HTTPS connection
    # has been initiated from inside the firewall, then traffic coming the other
    # way in reply to it is okay. This is a feature of stateful packet filtering,
    # seemingly. NOTE: You might want to remove this bit, it simply allows everything
    # through from your internal network.
    iptables -t filter -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
    # Forward incoming traffic on various ports to specific internal locations.
    # This is the port forwading part of your average router.
    # Forward HTTP (web - SquirrelMail) to DHEMAIL001:
    iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 80 -j DNAT --to 10.0.0.7:80
    iptables -A FORWARD -p tcp -m state --state NEW -d 10.0.0.7 --dport 80 -j ACCEPT
    # Important bit: this line handles getting the return traffic from all the above
    # rules back to the initiating request.
    iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
    
    # Forward any internal traffic on port 443 (HTTPS) to the Internet, i.e. any
    # HTTPS request from our internal network gets passed out to the Internet
    # with no questions asked. Add further outgoing ports here. You might also
    # need to add specific websites here - some websites that use cookie-based
    # authetication for user accounts don't handle being cached/filtered very
    # well, so simply add them (or their IP address) in here. Bear in mind that
    # this misses out the filtering for that specific website, so make sure that
    # the whole website is okay before you set this.
    # NOTE: Added HTTP just for the moment, remove here and add redirect rule below.
    iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT
    
    # Deal with data coming in from the Internet - shove it through NAT so it knows
    # where to go in our internal network.
    iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source 83.67.26.200
    The above works, I currently have a working Internet connection, and I'm planning to add a rule to forward HTTP traffic through a Squid proxy running on a virtual machine. The above has been put together largly by trial and error over several years and seems to work, although it might need some refining.

  7. Thanks to dhicks from:

    RabbieBurns (4th March 2012)

  8. #7

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Edit: got it working thanks!!

    Added the whole port range instead of just http

    iptables -t filter -A FORWARD -i eth0 -p tcp --dport 1:65535 -j ACCEPT

    and its working great
    Last edited by RabbieBurns; 4th March 2012 at 07:17 AM.

  9. #8

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Ive got the client -> remote server VPN working, and using the client as the default gateway I can now get all local subnet to ping the entire remote subnet and beyond.

    My questin is if I want to do the reverse, and have the remote subnet be able to ping this one, do I need to set up another client-server VPN session coming the other way, or can I use the existing VPN tunnel?

    The routing table on the remote is this:

    Code:
    root@linux:~# ip route show
    default via 192.168.2.1 dev eth0  metric 100
    10.8.0.0/24 via 10.8.0.2 dev tun0
    10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
    192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.49
    Can this be achieved by just adding some more static routes?

  10. #9

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Note to self:

    Code:
    120  iptables -t filter -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      121  iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
      122  iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
      123  iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT
      124  iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.8.0.5
      136  iptables -t filter -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      137  iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
      141  iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.8.0.6
       143  iptables -t filter -A FORWARD -i eth0 -p tcp --dport 1:65535 -j ACCEPT

SHARE:
+ Post New Thread

Similar Threads

  1. Route Table help please
    By Disease in forum Wireless Networks
    Replies: 4
    Last Post: 24th January 2011, 12:59 PM
  2. Default gateway settings etc. help please.
    By tickmike in forum Wireless Networks
    Replies: 21
    Last Post: 17th September 2006, 03:44 PM
  3. Replies: 5
    Last Post: 4th July 2006, 05:39 PM
  4. questionaire linked to database help please!!!!!!!!!!!!!!!!!
    By suesmate in forum Educational Software
    Replies: 8
    Last Post: 3rd May 2006, 06:07 PM
  5. E Learning Credits - Help Please
    By MuppetQueen in forum Budgets and Expenditure
    Replies: 4
    Last Post: 12th December 2005, 03:10 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •