Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)In search of VPN server with specific requirements
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3


89 posts

Master Geek


  #2302826 21-Aug-2019 10:51
Send private message

BarTender:

 

pomtom44: Thats exactly what I said isnt it?

I want to run in TAP mode so the traffic on the LAN uses the Clients IP, so then I can use my current firewall to do my traffic management
Like I do for my current vlans and devices.

I can't do that on TUN mode as my firewall only sees the internal IP of my VPN server and not the client IP thats connecting.

 

The firewall will see the IP addresses allocated in TUN mode so you can apply traffic management. It is just that the traffic will come from a different subnet rather than your current LAN subnet.

 

So in TAP mode you would have

 

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50 and VPN IP addresses 192.168.1.200-192.168.1.210

 

Or something like that. The issue is the client to dish out the IPs is a lot more complicated

 

In TUN mode you would have:

 

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50

 

Then you would also have a network route on the Firewall for 192.168.2.0/24 via 192.168.1.2

 

OpenVPN would have the TUN interface on 192.168.2.1 and hand out IP Addresses on 192.168.2.10-50 or whatever and you would run Avahi on the OpenVPN Server as it would be a router.

 

Then the firewall would need to apply policy to 192.168.1.0/24 and 192.168.2.0/24 based on the traffic management you require.

 

 

This is what I have currently

 

Internet ---> Router/Firewall ---> 192.168.10.0 network ---> 192.168.10.10 (VPN Server) 

If I run in TUN mode I have my OpenVPN server set to hand out 192.168.10.100-200
The traffic I see on my router/firewall all comes from 192.168.10.10 due to the routing happening on the OpenVPN server.

 

EG
I connect my phone, It gets 192.168.10.101,
I browse the web, my firewall sees the traffic from 10.10 not 10.101
So I can't put client level filtering in place on the firewall.

 

 

 

 

 

 

 

 

2494 posts

Uber Geek

Lifetime subscriber

  #2302830 21-Aug-2019 10:56
Send private message

Invent another network for your OpenVPN tunnels and add a route to it to firewall. All done.

 
 
 
 




89 posts

Master Geek


  #2302838 21-Aug-2019 11:03
Send private message

Spyware:

 

Invent another network for your OpenVPN tunnels and add a route to it to firewall. All done.

 



I dont see how to do that though

Ill put a post up in a sec with my current network and what im wanting / what im getting



89 posts

Master Geek


  #2302841 21-Aug-2019 11:10
Send private message

My current setup

Internet ----> Router ---> VLANS

VLAN 1: General
VLAN 2: Security
VLAN 3: Servers
VLAN 4: VPN

What I have currently is firewall rules on my router (USG) To prevent cross VLAN talk
So people on general cant access my security or servers network

Then i allow certain devices certain access though IP based firewall rules

EG my pc can access the whole security network so I can login to cameras and change settigns
My wife PC can only access the web panel for the security server so she can view recordings (IP:Port filterting)
Anyone can access the web server on the servers network (IP and Port 80/443) ETC

I have my VPN server setup on the VPN VLAN
192.168.10.0/24
Server 192.168.10.10

I want a way so when I login to the VPN from outside the network on say my phone, it gets the IP 192.168.10.101
Or 192.168.11.101 (Depending on if you can use the same network for both sides of teh server or not)

I have that working though TUN mode, and I can get internet.

however my firewall only sees the VPN traffic as 192.168.10.10, the LAN side of the VPN server.
So I cant apply my IP based firewall rules to individual clients as ALL the traffic coming in is showing as 10.10

My understanding is TAP mode should fix this, but Andriod doesnt support TAP (unless I pay the subscription for that app which im trying to avoid)

 

So how do I get around this issue?

I can either map a VPN IP to a Internal IP and do routing on the VPN server for each device.
I can find a way to pass though the IP address correctly
or the last resort, just do my firewall rules on the VPN server and leave it at that (which I want to try avoid so my rules are all in the one place)

2494 posts

Uber Geek

Lifetime subscriber

  #2302845 21-Aug-2019 11:17
Send private message

Create a UNIQUE network for the tunnels, i.e., on a different network to the VPN server (and different to your other networks). Add a route to the tunnel network to your firewall.



89 posts

Master Geek


  #2302847 21-Aug-2019 11:20
Send private message

Spyware:

 

Create a UNIQUE network for the tunnels, i.e., on a different network to the VPN server (and different to your other networks). Add a route to the tunnel network to your firewall.

 



I have done that
I have set the VPN LAN to 192.168.10.10 and the VPN Client to 192.168.11.0/24 but still get the 10.10 address on the firewall.

 

How / where do I set the route rules? as that may be what im after?

2494 posts

Uber Geek

Lifetime subscriber

  #2302915 21-Aug-2019 11:54
Send private message

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 
 
 
 




89 posts

Master Geek


  #2302916 21-Aug-2019 12:00
Send private message

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

3107 posts

Uber Geek

Trusted
Lifetime subscriber

  #2302919 21-Aug-2019 12:01
Send private message

I think you also have NAT / masquerade enabled on your "LAN" interface on your OpenVPN server.

 

So therefor iptables is mangling outbound traffic from the VPN tunnel to your network.

 

That's probably because you hand't added a reverse route into the USG to route the OpenVPN network back via the OpenVPN router. ip_forwarding would also need to be enabled.




and


2494 posts

Uber Geek

Lifetime subscriber

  #2302922 21-Aug-2019 12:09
Send private message

pomtom44:

 

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

 

 

In OpenVPN you define the tunnel retwork with, e.g.,

 

server 192.168.11.0 255.255.255.0

 

You then create a route in the router/firewall to point to 192.168.11.0 (via the address that OpenVPN listens on, the address of the linux box).



89 posts

Master Geek


  #2302923 21-Aug-2019 12:11
Send private message

Spyware:

 

pomtom44:

 

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

 

 

In OpenVPN you define the tunnel retwork with, e.g.,

 

server 192.168.11.0 255.255.255.0

 

You then create a route in the router/firewall to point to 192.168.11.0 (via the address that OpenVPN listens on, the address of the linux box).

 



I still think your mis-understanding my issue?
I dont see how setting routes on the firewall will change my routing issues on the OpenVPN server



89 posts

Master Geek


  #2302926 21-Aug-2019 12:12
Send private message

BarTender:

 

I think you also have NAT / masquerade enabled on your "LAN" interface on your OpenVPN server.

 

So therefor iptables is mangling outbound traffic from the VPN tunnel to your network.

 

That's probably because you hand't added a reverse route into the USG to route the OpenVPN network back via the OpenVPN router. ip_forwarding would also need to be enabled.

 



Ill give that a try and see what happens.

2494 posts

Uber Geek

Lifetime subscriber

  #2302927 21-Aug-2019 12:15
Send private message

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.



89 posts

Master Geek


  #2302930 21-Aug-2019 12:23
Send private message

Spyware:

 

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.

 



So the fact that the traffic from my Client is showing the OpenVPN Servers IP address is a problem with my firewall and not the OpenVPN Server?
Sorry but that doesn't sound right to me?



89 posts

Master Geek


  #2302932 21-Aug-2019 12:27
Send private message

Spyware:

 

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.

 




Connect phone to VPN, connects fine with IP 192.168.11.101
Browse to google, loads fine
Look at firewall logs, sees traffic from 192.168.10.10 going to google

Connect Laptop to VPN, Connects fine with IP 192.168.11.102
Browse to google, loads fine
Look at firewall logs, sees traffic from 192.168.10.10 going to google

I dont see how thats an issue with the routing on the firewall?
To me thats an issue with the fact OpenVPN does internal routing between the VPN clients and the LAN interface.

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Find X2 Lite brings flagship features to mid-range 5G smartphone
Posted 29-May-2020 12:52

Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47

Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29

D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22

NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14

SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00

D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53

Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48

Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56

D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51

Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01

Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35

Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53

Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06

Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.