| 163 | = Using routing and OpenVPN not running on the default gateway = |
| 164 | This setup have much of the same requirements as the previous example. But there are a few minor modifications you need to make. |
| 165 | |
| 166 | {{{ |
| 167 | +-------------------------+ |
| 168 | (public IP)| | |
| 169 | {INTERNET}=============={ Router | |
| 170 | | | |
| 171 | | LAN switch | |
| 172 | +------------+------------+ |
| 173 | | (192.168.0.1) |
| 174 | | |
| 175 | | +-----------------------+ |
| 176 | | | | |
| 177 | | | OpenVPN | eth0: 192.168.0.10/24 |
| 178 | +--------------{eth0 server | tun0: 10.8.0.1/24 |
| 179 | | | | |
| 180 | | | {tun0} | |
| 181 | | +-----------------------+ |
| 182 | | |
| 183 | +--------+-----------+ |
| 184 | | | |
| 185 | | Other LAN clients | |
| 186 | | | |
| 187 | | 192.168.0.0/24 | |
| 188 | | (internal net) | |
| 189 | +--------------------+ |
| 190 | |
| 191 | }}} |
| 192 | |
| 193 | The Router needs to have a port forwarding for the port you want to use for OpenVPN and forward that port to 192.168.0.10, which is the IP address of the OpenVPN on the internal network. |
| 194 | |
| 195 | The next thing you need to do on the router is to add a route for your VPN subnet. In the routing table on your Router, add 10.8.0.0/24 to be sent via 192.168.0.10. This is needed for the traffic from your LAN clients to be able to find their way back to the VPN clients. If this is not possible, you need add such routes explicitly on all the LAN clients you want to access via the VPN. |
| 196 | |
| 197 | The firewall rules will also need to be different, and less extensive. Here you just need to add rules which opens up traffic from the VPN subnet and into your local LAN. |
| 198 | |
| 199 | {{{ |
| 200 | # Allow traffic initiated from VPN to access LAN |
| 201 | iptables -I FORWARD -i tun0 -o eth0 \ |
| 202 | -s 10.8.0.0/24 -d 192.168.0.0/24 \ |
| 203 | -m conntrack --ctstate NEW -j ACCEPT |
| 204 | |
| 205 | # Allow established traffic to pass back and forth |
| 206 | iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \ |
| 207 | -j ACCEPT |
| 208 | }}} |
| 209 | |
| 210 | If you also want your VPN clients to access the complete Internet, just remove the ''-d 192.168.0.0/24'' from the first iptables example above. |
| 211 | |
| 212 | The rest of the configuration will be as the very first routing example. You need to set net.ipv4.ip_forward=1 and you need the extracts for the OpenVPN configuration as indicated. |
| 213 | |
| 214 | |