Changes between Version 3 and Version 4 of BridgingAndRouting
- Timestamp:
- 02/16/12 15:21:38 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
BridgingAndRouting
v3 v4 57 57 }}} 58 58 59 Say you have a pretty standard network with a single firewall:59 To set up a TUN setup with routing and masquerading for the VPN subnet, one approach could be something like this. This example is based on a pretty standard network with a single Linux based firewall with two Ethernet cards: 60 60 61 61 {{{ 62 {INTERNET}-----[FIREWALL/OpenVPN server]-----<Internal network> 62 +--------------------------------+ 63 | FIREWALL | 64 (public IP)| |192.168.0.1 65 {INTERNET}================={eth1 eth0}===============<internal network / 192.168.0.0/24> 66 | \ / | 67 | +----------------------+ | 68 | | iptables and | | 69 | | routing engine | | 70 | +--+----------------+--+ | 71 | |*1 |*2 | 72 | (openvpn)-------{tun0} | 73 | 10.8.0.1 | 74 +--------------------------------+ 75 76 *1 Only encrypted traffic will pass here, over UDP or TCP and only to the remote OpenVPN client 77 *2 The unencrypted traffic will pass here. This is the exit/entry point for the VPN tunnel. 63 78 }}} 64 79 65 To set up a TUN setup with routing and masquerading for the VPN subnet, one approach could be something like this. Say your VPN is 10.8.0.0/24, your "Internet interface" is configured as eth1 and your internal LAN (say, 192.168.0.0/24) is eth0 ... then the firewall rules would be something like: 80 Here tun0 is configured as 10.8.0.1 as a VPN, with the whole VPN network configured as 10.8.0.0/24. 81 82 What happens with OpenVPN is that it accepts OpenVPN clients from eth1, OpenVPN will decrypt the data and put it to the tun0 interface, and the iptables and routing engine will pick up that traffic again, filter/masquerade it and send it further to eth0 or eth1, depending on the routing table. When the routing engine sends traffic destined for the tun0 network, OpenVPN will pick it up, encrypt it and send it out on eth1, towards the proper OpenVPN client. 83 84 So, lets look at the iptables rules required for this to work. 66 85 67 86 {{{ 68 # Allow VPN to access LAN87 # Allow traffic initiated from VPN to access LAN 69 88 iptables -I FORWARD -i tun0 -o eth0 \ 70 89 -s 10.8.0.0/24 -d 192.168.0.0/24 \ 71 90 -m conntrack --ctstate NEW -j ACCEPT 72 91 73 # Allow VPN to access "the world"92 # Allow traffic initiated from VPN to access "the world" 74 93 iptables -I FORWARD -i tun0 -o eth1 \ 75 94 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT 76 95 77 # Allow LAN to"the world"96 # Allow traffic initiated from LAN to access "the world" 78 97 iptables -I FORWARD -i eth0 -o eth1 \ 79 98 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT … … 83 102 -j ACCEPT 84 103 85 # Masquerade traffic from VPN to "the world" 104 # Notice that -I is used, so when listing it (iptables -vxnL) it 105 # will be reversed. This is intentional in this demonstration. 106 107 # Masquerade traffic from VPN to "the world" -- done in the nat table 86 108 iptables -t nat -I POSTROUTING -o eth1 \ 87 109 -s 10.8.0.0/24 -j MASQUERADE … … 93 115 }}} 94 116 95 You need in the openvpn server configthese lines:117 In the openvpn server config you will need these lines: 96 118 97 119 {{{