Changes between Version 3 and Version 4 of BridgingAndRouting


Ignore:
Timestamp:
02/16/12 15:21:38 (12 years ago)
Author:
David Sommerseth
Comment:

Improved the network layout and described more details

Legend:

Unmodified
Added
Removed
Modified
  • BridgingAndRouting

    v3 v4  
    5757}}}
    5858
    59 Say you have a pretty standard network with a single firewall:
     59To set up a TUN setup with routing and masquerading for the VPN subnet, one approach could be something like this.  This example is based on a pretty standard network with a single Linux based firewall with two Ethernet cards:
    6060
    6161{{{
    62 {INTERNET}-----[FIREWALL/OpenVPN server]-----<Internal network>
     62                            +--------------------------------+
     63                            |            FIREWALL            |
     64                 (public IP)|                                |192.168.0.1
     65 {INTERNET}================={eth1                        eth0}===============<internal network / 192.168.0.0/24>
     66                            |   \                        /   |
     67                            |    +----------------------+    |
     68                            |    | iptables and         |    |
     69                            |    | routing engine       |    |
     70                            |    +--+----------------+--+    |
     71                            |       |*1              |*2     |
     72                            |     (openvpn)-------{tun0}     |
     73                            |                    10.8.0.1    |
     74                            +--------------------------------+
     75
     76   *1 Only encrypted traffic will pass here, over UDP or TCP and only to the remote OpenVPN client
     77   *2 The unencrypted traffic will pass here.  This is the exit/entry point for the VPN tunnel.
    6378}}}
    6479
    65 To set up a TUN setup with routing and masquerading for the VPN subnet, one approach could be something like this.  Say your VPN is 10.8.0.0/24, your "Internet interface" is configured as eth1 and your internal LAN (say, 192.168.0.0/24) is eth0 ... then the firewall rules would be something like:
     80Here tun0 is configured as 10.8.0.1 as a VPN, with the whole VPN network configured as 10.8.0.0/24. 
     81
     82What happens with OpenVPN is that it accepts OpenVPN clients from eth1, OpenVPN will decrypt the data and put it to the tun0 interface, and the iptables and routing engine will pick up that traffic again, filter/masquerade it and send it further to eth0 or eth1, depending on the routing table.  When the routing engine sends traffic destined for the tun0 network, OpenVPN will pick it up, encrypt it and send it out on eth1, towards the proper OpenVPN client.
     83
     84So, lets look at the iptables rules required for this to work.
    6685
    6786{{{
    68     # Allow VPN to access LAN
     87    # Allow traffic initiated from VPN to access LAN
    6988    iptables -I FORWARD -i tun0 -o eth0 \
    7089         -s 10.8.0.0/24 -d 192.168.0.0/24 \
    7190         -m conntrack --ctstate NEW -j ACCEPT
    7291
    73     # Allow VPN to access "the world"
     92    # Allow traffic initiated from VPN to access "the world"
    7493    iptables -I FORWARD -i tun0 -o eth1 \
    7594         -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
    7695
    77     # Allow LAN to "the world"
     96    # Allow traffic initiated from LAN to access "the world"
    7897    iptables -I FORWARD -i eth0 -o eth1 \
    7998         -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
     
    83102         -j ACCEPT
    84103
    85     # Masquerade traffic from VPN to "the world"
     104    # Notice that -I is used, so when listing it (iptables -vxnL) it
     105    # will be reversed.  This is intentional in this demonstration.
     106
     107    # Masquerade traffic from VPN to "the world" -- done in the nat table
    86108    iptables -t nat -I POSTROUTING -o eth1 \
    87109          -s 10.8.0.0/24 -j MASQUERADE
     
    93115}}}
    94116
    95 You need in the openvpn server config these lines:
     117In the openvpn server config you will need these lines:
    96118
    97119{{{