Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] OpenVPN client + NAT routing issue
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Tue Mar 24, 2015 4:56 pm    Post subject: [SOLVED] OpenVPN client + NAT routing issue Reply with quote

I have a PC with OpenVPN client connecting to PrivateInternetAccess servers. When it is connected (which is always), I am unable to SSH into the PC from the internet. I can SSH into the PC no problem on the local network. I am running some simple iptables rules, but I tested with iptables disabled and it does not fix it. I've tested with iptables running and OpenVPN disconnected and it works no problem.

It appears to be an issue with NAT and OpenVPN routing which I am trying to resolve.

I tried to use iptables to mark the SSH packets and force them to the NAT router, but it doesn't seem to work. Ideas?

Quote:
# iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j MARK --set-mark 1
# ip route add default via 10.2.1.1 dev eth0 table sshtable
# ip rule add from all fwmark 1 table sshtable

# tail /etc/iproute2/rt_tables
255 local
254 main
253 default
0 unspec
1 sshtable


# ip route show
0.0.0.0/1 via 10.168.1.5 dev tun0
default via 10.2.1.1 dev eth0 metric 2
10.2.1.0/24 dev eth0 proto kernel scope link src 10.2.1.12
10.168.1.1 via 10.168.1.5 dev tun0
10.168.1.5 dev tun0 proto kernel scope link src 10.168.1.6
108.61.19.6 via 10.2.1.1 dev eth0
127.0.0.0/8 dev lo scope host
127.0.0.0/8 via 127.0.0.1 dev lo
128.0.0.0/1 via 10.168.1.5 dev tun0

# ip route show table sshtable
default via 10.2.1.1 dev eth0

# ip rule show
0: from all lookup local
32765: from all fwmark 0x1 lookup sshtable
32766: from all lookup main
32767: from all lookup default


Last edited by BlueFusion on Tue Apr 07, 2015 9:13 pm; edited 1 time in total
Back to top
View user's profile Send private message
Klayman
n00b
n00b


Joined: 10 Jun 2009
Posts: 8

PostPosted: Tue Mar 24, 2015 6:24 pm    Post subject: Reply with quote

When your PC is connected through VPN your public (Internet facing) IP address is what your VPN provider assigns to you and is different from what you got from the ISP. You should set up a dynamic DNS service and make your PC update the dynamic domain name to the VPN IP address.

This is because all your traffic is routed through the tunnel and by connecting to the ISP provided IP the packets never reach your SSH daemon.
_________________
cd /usr/src/life && ./configure && make
Back to top
View user's profile Send private message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Tue Mar 24, 2015 7:50 pm    Post subject: Reply with quote

Klayman wrote:
When your PC is connected through VPN your public (Internet facing) IP address is what your VPN provider assigns to you and is different from what you got from the ISP. You should set up a dynamic DNS service and make your PC update the dynamic domain name to the VPN IP address.

This is because all your traffic is routed through the tunnel and by connecting to the ISP provided IP the packets never reach your SSH daemon.


That's the problem. I can't SSH into the PC using the VPN IP. All inbound ports are blocked/firewalled by the OpenVPN server of which I have no control. I need to reach this PC remotely using my ISP's IP address (through my NAT router, which has port 22 port-forwarded, and confirmed working).
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Wed Mar 25, 2015 1:26 am    Post subject: Reply with quote

When the VPN is up, is the route to the ssh client through the VPN or through the public Internet? If the former, then reverse path filtering will likely prevent the connection from working properly.
Back to top
View user's profile Send private message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Sat Mar 28, 2015 6:49 pm    Post subject: Reply with quote

Through public internet. There's no way to overcome this with iptables + ip route?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Sat Mar 28, 2015 9:55 pm    Post subject: Reply with quote

If the VPN client's route to the ssh client is over the public Internet, then this should already work. Reverse path filtering would only be a problem if the route back to the ssh client was over the VPN.
Back to top
View user's profile Send private message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Tue Apr 07, 2015 9:12 pm    Post subject: Reply with quote

I figured it out.

Created /etc/openvpn/openvpn.pia-up.sh containing:
Quote:
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.tun0.rp_filter=0

ip route add default via 10.2.1.1 dev eth0 table sshtable || exit 1
ip rule add from all fwmark 1 table sshtable || exit 1


Rule added to my iptables firewall:
Quote:
iptables -A OUTPUT -t mangle -p tcp --sport 22 -j MARK --set-mark=1
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum