Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] Openvpn Server - Routing internet traffic
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
Apprentice
Apprentice


Joined: 23 May 2006
Posts: 277

PostPosted: Sat Apr 09, 2016 6:24 pm    Post subject: [solved] Openvpn Server - Routing internet traffic Reply with quote

I installed openvpn server and am able to connect from an android system to openvpn. I also can see a webpage, hosted on the openvpn server which has also installed apache on it.

But I cannot reach other internet sites.

What is needed to route all traffic comming from openvpn client to internet? Can this be acheaved with adding a route into routing table of the server, or do I have to use iptables? I have no firewall installed on the server for the moment.

Code:
port 1234
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh4096.pem
tls-auth /etc/openvpn/certs/ta.key 0
server 10.8.1.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
persist-key
persist-tun
topology subnet
keepalive 10 120
local myipadress of the server
user openvpn
group openvpn
# client-to-client
comp-lzo
log        /var/log/openvpn.log
status     /var/log/openvpn-status.log
verb 5
mute 20
client-config-dir ccd
route 10.8.1.0 255.255.255.0


When I try to access a website on internet, I see
Code:
bad source address from client [10.216.50.110], packet dropped

on the openvpn server's log


Last edited by Elleni on Sat Apr 16, 2016 2:21 pm; edited 2 times in total
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 607
Location: Yeovil, Somerset, UK

PostPosted: Sat Apr 09, 2016 10:30 pm    Post subject: Re: Openvpn Server - Routing internet traffic Reply with quote

For OpenVPN clients to access the internet:

    Routing (forwarding) must be enabled on the server (echo 1 > /proc/sys/net/ipv4/ip_forward, /etc/sysctl.d/, or similar that will set that entry)
    The clients must have a default gateway route that goes via the OVPN server
    The server must have a NAT rule for the OVPN clients
    The firewall must permit the traffic


You are probably missing out one of those items. You can run Wireshark (or tcpdump to file and read it via Wireshark elsewhere) and watch the traffic. Remember you can't see network traffic and guessing rarely works out!

Cheers
Jon
Back to top
View user's profile Send private message
Elleni
Apprentice
Apprentice


Joined: 23 May 2006
Posts: 277

PostPosted: Sun Apr 10, 2016 10:37 am    Post subject: Reply with quote

First 2 points are OK. But I dont habe iptables installed in the server. Can a nat roule be implemented without iptables vor do I habe to install iptables on server for creating a nat rule?
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 607
Location: Yeovil, Somerset, UK

PostPosted: Sun Apr 10, 2016 11:18 am    Post subject: Reply with quote

Elleni wrote:
First 2 points are OK. But I dont habe iptables installed in the server. Can a nat roule be implemented without iptables vor do I habe to install iptables on server for creating a nat rule?


NAT is a firewall function and hence iptables is needed if you want to do it at the the OpenVPN server. However - unless your OVPN server has an external address - you actually have to do the NAT at your router. You will also need a static route on your router for the OVPN network which points back at your OVPN server.

Client <-> Server (OVPN network) <-> OVPN server (LAN) <-> Router (LAN) <-> Router (WAN) <-> ISP <-> Internet <-> Target

All the <-> above are routes and all devices need to "know" about the routes between all the others. You probably have all of them defined apart from Server (OVPN network) <-> Router (LAN) on Router. The NAT at Router (WAN) hides all your stuff behind itself which avoids you having to run BGP and of course your ISP takes care of your routes in the outside world.
Back to top
View user's profile Send private message
Elleni
Apprentice
Apprentice


Joined: 23 May 2006
Posts: 277

PostPosted: Mon Apr 11, 2016 6:58 am    Post subject: Reply with quote

Understood. Thanks for detailed answer. As the Server is a virtual Server and I have no router inbetween that I could configure, and I access Server by it's public adress, I understand now, that I will have to implement iptables for nat, and I will also add needed route(s) in order to let my openvpn Server secure my internet access via mobile device.

I will put [solved}]as soon as I am done, but this could take a while :)

In the meantime I once more thank you for the awesome Support in this foum! :D
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 607
Location: Yeovil, Somerset, UK

PostPosted: Mon Apr 11, 2016 8:00 am    Post subject: Reply with quote

As the OVPN server has a public IP address then you will not need much in the way of routing because it "knows" where all its interfaces are already.

Please get a firewall installed as soon as possible. There are several great packages eg Shorewall and ufw which will make managing rules easier or you can simply write a script. If you are using OpenRC you can put the rules in /etc/conf.d/net in postup() { } and postdown() { }

Good luck!
Back to top
View user's profile Send private message
Elleni
Apprentice
Apprentice


Joined: 23 May 2006
Posts: 277

PostPosted: Wed Apr 13, 2016 8:50 pm    Post subject: Reply with quote

ok, I have iptables up and running with the help of:

https://wiki.gentoo.org/wiki/Iptables

and then added:
Code:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o enp0s5 -j MASQUERADE


Internet access on the vpn client now works; with a little exeption:
When I change
Code:
iptables -P INPUT DROP


I have the problem, that the websites, hosted on the same server are not accessible. But internet access is still working.

As soon as I change the input table to accept, I have access to my website too.

Following the iptables rules that I have set, perhaps someone sees what I should change in order to be able to access internet including my own website hosted on the same server from the vpn client - with input table set to drop.

Code:
iptables -L             
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
REJECT     tcp  --  anywhere             anywhere             tcp dpt:auth flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:10024 flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:10025 flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:mysql flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:openvpn-port flags:FIN,SYN,RST,ACK/SYN ctstate NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.1.0/24          anywhere           
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.8.1.0/24          anywhere 
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 607
Location: Yeovil, Somerset, UK

PostPosted: Wed Apr 13, 2016 11:56 pm    Post subject: Reply with quote

You are nearly there. Could you post the output from the following:

#ip a
#ip r
#netstat -leepn | grep 80

I assume your webserver is listening on :80 (substitute apache or nginx if more appropriate.)

Cheers
Jon
Back to top
View user's profile Send private message
Elleni
Apprentice
Apprentice


Joined: 23 May 2006
Posts: 277

PostPosted: Thu Apr 14, 2016 6:34 am    Post subject: Reply with quote

Code:
ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
       valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1c:42:66:08:79 brd ff:ff:ff:ff:ff:ff
    inet <ser.ver.ip.address>/24 brd <ser.ver.netw.255 scope global enp0s5
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
    link/none
    inet 10.8.1.1/24 brd 10.8.1.255 scope global tun0
       valid_lft forever preferred_lft forever


Code:
ip b
Object "b" is unknown, try "ip help".


Code:
netstat -leepn | grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          5539       3968/apache2       
unix  2      [ ACC ]     STREAM     HÖRT         5801     4172/master          private/rewrite
unix  2      [ ACC ]     STREAM     HÖRT         5804     4172/master          private/bounce
unix  2      [ ACC ]     STREAM     HÖRT         5807     4172/master          private/defer


Yes and on port 443 too.

Code:
netstat -leepn | grep apache
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          5536       3968/apache2       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          5539       3968/apache2       
unix  2      [ ACC ]     STREAM     HÖRT         54703    29865/apache2        /var/run/cgisock.3968


Thanks in advance :)
Back to top
View user's profile Send private message
Elleni
Apprentice
Apprentice


Joined: 23 May 2006
Posts: 277

PostPosted: Sat Apr 16, 2016 2:23 pm    Post subject: Reply with quote

After reflecting a littlebit and after finding out that sending mails did not work eather from my mobile with vpn connection established, I found my error. I had most rules with -i enp0s5 which naturally explains why I could not see webpages, that were requested via tun0. Corrected it and tataaa everything works fine now :)

Thanks once again for incredible support in this forum! I love my gentoo :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum