| Linode Forum https://forum.linode.com/ |
|
| OpenVPN: Unable to reach internal services outside firewall https://forum.linode.com/viewtopic.php?f=19&t=11289 |
Page 1 of 1 |
| Author: | linuxgeek [ Mon Sep 08, 2014 4:04 am ] |
| Post subject: | OpenVPN: Unable to reach internal services outside firewall |
So far I am starting to think this may be firewall related, but hoping to receive some input from others. My goal is to be able to reach internal services while connected to my OpenVPN from any external source address. Default iptables policy = DROP. OpenVPN has been setup and clients can successfully connect with their respective keys. While connected clients show as having the VPN's WAN IP address, clients cannot reach *any* internal services on the server's local LAN. Tried to force VPN packets to be routed over the public eth0 interface to no avail. For the output of `iptables -S` see http://codepad.org/1uxj65rS More detailed info… ## BEGIN POLICY ## -P INPUT DROP -P FORWARD ACCEPT -P OUTPUT ACCEPT # /etc/ufw/rules.before # # Rules that should be run before the ufw command line added rules. # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # UFW Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere Anywhere ALLOW IN xx.xxx.xx.xxx = CLIENT1 WAN address * 25 ALLOW IN Anywhere 8080 ALLOW IN Anywhere 22 ALLOW IN Anywhere (v6) 25 ALLOW IN Anywhere (v6) 8080 ALLOW IN Anywhere (v6) * CLIENT 1 CANNOT REACH INTERNAL SERVICES FROM EXTERNAL WAN IP ADDRESSES (OWN WAN = OK) ## END POLICY ## # ROUTING TABLE [BEFORE VPN] Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default gw-xxxx.linode 0.0.0.0 UG 203 0 0 eth0 xx.xxx.xxx.0 * 255.255.255.0 U 203 0 0 eth0 server-domain.net gw-xxxx.linode 255.255.255.255 UGH 0 0 0 eth0 # Force VPN packets to be routed over the public eth0 interface source: viewtopic.php?t=8737 ip rule add from xx.xx.xxx.xx table 128 # = SERVER IP ip route add table 128 to xx.xxx.xxx.0/24 dev eth0 # = SERVER SUBNET ip route add table 128 default via xx.xx.xxx.1 # = SERVER GATEWAY # ROUTING TABLE [AFTER VPN] Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default gw-xxxx.linode 0.0.0.0 UG 203 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0 66.175.221.0 * 255.255.255.0 U 203 0 0 eth0 server-domain.net gw-xxxx.linode 255.255.255.255 UGH 0 0 0 eth0 `ip addr show` 41: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever # FORWARDING ENABLED $ sysctl -p net.ipv4.ip_forward = 1 /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 # NOTES Client1 192.168.1.129 :: Successful pings to OpenVPN 10.8.0.1 + 10.8.0.10 [tun0] /etc/openvpn/server.conf - http://codepad.org/EwwFKFPw /etc/openvpn/client.conf - http://codepad.org/hXMq5HJ9 At this point -- I am really uncertain what the issue could be, but suspect it is either 1. Firewall or 2. Network Routing related. I would greatly appreciate anyone who can advise. Thanks for reading. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|