Changes between Version 19 and Version 20 of BridgingAndRouting


Ignore:
Timestamp:
04/01/16 19:25:29 (2 years ago)
Author:
David Sommerseth
Comment:

Clarify the masquerading of VPN clients further

Legend:

Unmodified
Added
Removed
Modified
  • BridgingAndRouting

    v19 v20  
    200200The Router needs to have a port forwarding for the port you want to use for OpenVPN and forward that port to 192.168.0.10, which is the IP address of the OpenVPN on the internal network.
    201201
    202 The next thing you need to do on the router is to add a route for your VPN subnet.  In the routing table on your Router, add 10.8.0.0/24 to be sent via 192.168.0.10.  This is needed for the traffic from your LAN clients to be able to find their way back to the VPN clients.  If this is not possible, you need add such routes explicitly on all the LAN clients you want to access via the VPN. Another less laborious way to do this, is to add a rule to masquerade the network 10.8.0.0/24 with iptables, as done with the third rule in the iptables commands below.
     202The next thing you need to do on the router is to add a route for your VPN subnet.  In the routing table on your router, add 10.8.0.0/24 to be sent via 192.168.0.10.  This is needed for the traffic from your LAN clients to be able to find their way back to the VPN clients.  If this is not possible, you need add such routes explicitly on all the LAN clients you want to access via the VPN.
    203203
    204204The firewall rules will also need to be different, and less extensive.  Here you just need to add rules which opens up traffic from the VPN subnet and into your local LAN.
     
    213213    iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
    214214         -j ACCEPT
    215 
    216     # Masquerade traffic from VPN -- done in the nat table
    217     # Do this only if you haven't modified routing tables as explained before
    218     #iptables -t nat -I POSTROUTING -o eth0 \
    219     #      -s 10.8.0.0/24 -j MASQUERADE
    220215}}}
    221216
    222217If you also want your VPN clients to access the complete Internet, just remove the ''-d 192.168.0.0/24'' part from the first iptables example above.
    223218
     219In some situations it is not possible to modify the routing table on the main router or on each client.  Then the alternative is to masquerade all VPN clients as coming from 192.168.0.10.  The drawback of this approach is that all VPN clients looks like coming from the VPN server itself - you will '''not''' see the IP address of the VPN client at all.  This approach is generally considered as a last option if proper routing is not feasible.
     220
     221{{{
     222    # Masquerade all traffic from VPN clients -- done in the nat table
     223    iptables -t nat -I POSTROUTING -o eth0 \
     224          -s 10.8.0.0/24 -j MASQUERADE
     225}}}
     226
    224227The rest of the configuration will be as the very first routing example.  You need to set net.ipv4.ip_forward=1 and you need the extracts for the OpenVPN configuration as indicated.
    225228