Context Navigation

Changes between Version 10 and Version 11 of BridgingAndRouting

Timestamp:: 07/27/12 17:46:44 (12 years ago)
Author:: David Sommerseth
Comment:: Added example for routed setup where openvpn server is on the inside

Legend:

: Unmodified
: Added
: Removed
: Modified

BridgingAndRouting

-                      v10
+                      v11
 And that's basically it.  Not much more extra trickery.  Routing setups are often much easier than people generally believe.  The firewall is generally a bit more tricky, but bridging doesn't make that easier.
+= Using routing and OpenVPN not running on the default gateway =
+This setup have much of the same requirements as the previous example.  But there are a few minor modifications you need to make.
+{{{
+                          +-------------------------+
+               (public IP)|                         |
+  {INTERNET}=============={     Router              |
+                          |                         |
+                          |         LAN switch      |
+                          +------------+------------+
+                                       | (192.168.0.1)
+                                       |
+                                       |              +-----------------------+
+                                       |              |                       |
+                                       |              |        OpenVPN        |  eth0: 192.168.0.10/24
+                                       +--------------{eth0    server         |  tun0: 10.8.0.1/24
+                                       |              |                       |
+                                       |              |           {tun0}      |
+                                       |              +-----------------------+
+                                       |
+                              +--------+-----------+
+                              |                    |
+                              |  Other LAN clients |
+                              |                    |
+                              |   192.168.0.0/24   |
+                              |   (internal net)   |
+                              +--------------------+
+}}}
+The Router needs to have a port forwarding for the port you want to use for OpenVPN and forward that port to 192.168.0.10, which is the IP address of the OpenVPN on the internal network.
+The next thing you need to do on the router is to add a route for your VPN subnet.  In the routing table on your Router, add 10.8.0.0/24 to be sent via 192.168.0.10.  This is needed for the traffic from your LAN clients to be able to find their way back to the VPN clients.  If this is not possible, you need add such routes explicitly on all the LAN clients you want to access via the VPN.
+The firewall rules will also need to be different, and less extensive.  Here you just need to add rules which opens up traffic from the VPN subnet and into your local LAN.
+{{{
+    # Allow traffic initiated from VPN to access LAN
+    iptables -I FORWARD -i tun0 -o eth0 \
+         -s 10.8.0.0/24 -d 192.168.0.0/24 \
+         -m conntrack --ctstate NEW -j ACCEPT
+    # Allow established traffic to pass back and forth
+    iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
+         -j ACCEPT
+}}}
+If you also want your VPN clients to access the complete Internet, just remove the ''-d 192.168.0.0/24'' from the first iptables example above.
+The rest of the configuration will be as the very first routing example.  You need to set net.ipv4.ip_forward=1 and you need the extracts for the OpenVPN configuration as indicated.
 ''(If others see obvious mistakes, typos, or there are important details which are missing, please correct my errors.)''