Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Version 19 and Version 20 of BridgingAndRouting

Timestamp:: 04/01/16 19:25:29 (9 years ago)
Author:: David Sommerseth
Comment:: Clarify the masquerading of VPN clients further

Legend:

: Unmodified
: Added
: Removed
: Modified

BridgingAndRouting

-                      v19
+                      v20
 The Router needs to have a port forwarding for the port you want to use for OpenVPN and forward that port to 192.168.0.10, which is the IP address of the OpenVPN on the internal network.
 The next thing you need to do on the router is to add a route for your VPN subnet.  In the routing table on your Router, add 10.8.0.0/24 to be sent via 192.168.0.10.  This is needed for the traffic from your LAN clients to be able to find their way back to the VPN clients.  If this is not possible, you need add such routes explicitly on all the LAN clients you want to access via the VPN. Another less laborious way to do this, is to add a rule to masquerade the network 10.8.0.0/24 with iptables, as done with the third rule in the iptables commands below.
+The next thing you need to do on the router is to add a route for your VPN subnet.  In the routing table on your router, add 10.8.0.0/24 to be sent via 192.168.0.10.  This is needed for the traffic from your LAN clients to be able to find their way back to the VPN clients.  If this is not possible, you need add such routes explicitly on all the LAN clients you want to access via the VPN.
 The firewall rules will also need to be different, and less extensive.  Here you just need to add rules which opens up traffic from the VPN subnet and into your local LAN.
 …
     iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
          -j ACCEPT
-    # Masquerade traffic from VPN -- done in the nat table
-    # Do this only if you haven't modified routing tables as explained before
-    #iptables -t nat -I POSTROUTING -o eth0 \
-    #      -s 10.8.0.0/24 -j MASQUERADE
 }}}
 If you also want your VPN clients to access the complete Internet, just remove the ''-d 192.168.0.0/24'' part from the first iptables example above.
+In some situations it is not possible to modify the routing table on the main router or on each client.  Then the alternative is to masquerade all VPN clients as coming from 192.168.0.10.  The drawback of this approach is that all VPN clients looks like coming from the VPN server itself - you will '''not''' see the IP address of the VPN client at all.  This approach is generally considered as a last option if proper routing is not feasible.
+{{{
+    # Masquerade all traffic from VPN clients -- done in the nat table
+    iptables -t nat -I POSTROUTING -o eth0 \
+          -s 10.8.0.0/24 -j MASQUERADE
+}}}
 The rest of the configuration will be as the very first routing example.  You need to set net.ipv4.ip_forward=1 and you need the extracts for the OpenVPN configuration as indicated.