Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
pomtom44

128 posts

Master Geek


  #2302826 21-Aug-2019 10:51
Send private message

BarTender:

 

pomtom44: Thats exactly what I said isnt it?

I want to run in TAP mode so the traffic on the LAN uses the Clients IP, so then I can use my current firewall to do my traffic management
Like I do for my current vlans and devices.

I can't do that on TUN mode as my firewall only sees the internal IP of my VPN server and not the client IP thats connecting.

 

The firewall will see the IP addresses allocated in TUN mode so you can apply traffic management. It is just that the traffic will come from a different subnet rather than your current LAN subnet.

 

So in TAP mode you would have

 

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50 and VPN IP addresses 192.168.1.200-192.168.1.210

 

Or something like that. The issue is the client to dish out the IPs is a lot more complicated

 

In TUN mode you would have:

 

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50

 

Then you would also have a network route on the Firewall for 192.168.2.0/24 via 192.168.1.2

 

OpenVPN would have the TUN interface on 192.168.2.1 and hand out IP Addresses on 192.168.2.10-50 or whatever and you would run Avahi on the OpenVPN Server as it would be a router.

 

Then the firewall would need to apply policy to 192.168.1.0/24 and 192.168.2.0/24 based on the traffic management you require.

 

 

This is what I have currently

 

Internet ---> Router/Firewall ---> 192.168.10.0 network ---> 192.168.10.10 (VPN Server) 

If I run in TUN mode I have my OpenVPN server set to hand out 192.168.10.100-200
The traffic I see on my router/firewall all comes from 192.168.10.10 due to the routing happening on the OpenVPN server.

 

EG
I connect my phone, It gets 192.168.10.101,
I browse the web, my firewall sees the traffic from 10.10 not 10.101
So I can't put client level filtering in place on the firewall.

 

 

 

 

 

 

 

 


 
 
 
 

Send money globally for less with Wise - one free transfer up to NZ$900 (affiliate link).
Spyware
3728 posts

Uber Geek

Lifetime subscriber

  #2302830 21-Aug-2019 10:56
Send private message

Invent another network for your OpenVPN tunnels and add a route to it to firewall. All done.


pomtom44

128 posts

Master Geek


  #2302838 21-Aug-2019 11:03
Send private message

Spyware:

 

Invent another network for your OpenVPN tunnels and add a route to it to firewall. All done.

 



I dont see how to do that though

Ill put a post up in a sec with my current network and what im wanting / what im getting




pomtom44

128 posts

Master Geek


  #2302841 21-Aug-2019 11:10
Send private message

My current setup

Internet ----> Router ---> VLANS

VLAN 1: General
VLAN 2: Security
VLAN 3: Servers
VLAN 4: VPN

What I have currently is firewall rules on my router (USG) To prevent cross VLAN talk
So people on general cant access my security or servers network

Then i allow certain devices certain access though IP based firewall rules

EG my pc can access the whole security network so I can login to cameras and change settigns
My wife PC can only access the web panel for the security server so she can view recordings (IP:Port filterting)
Anyone can access the web server on the servers network (IP and Port 80/443) ETC

I have my VPN server setup on the VPN VLAN
192.168.10.0/24
Server 192.168.10.10

I want a way so when I login to the VPN from outside the network on say my phone, it gets the IP 192.168.10.101
Or 192.168.11.101 (Depending on if you can use the same network for both sides of teh server or not)

I have that working though TUN mode, and I can get internet.

however my firewall only sees the VPN traffic as 192.168.10.10, the LAN side of the VPN server.
So I cant apply my IP based firewall rules to individual clients as ALL the traffic coming in is showing as 10.10

My understanding is TAP mode should fix this, but Andriod doesnt support TAP (unless I pay the subscription for that app which im trying to avoid)

 

So how do I get around this issue?

I can either map a VPN IP to a Internal IP and do routing on the VPN server for each device.
I can find a way to pass though the IP address correctly
or the last resort, just do my firewall rules on the VPN server and leave it at that (which I want to try avoid so my rules are all in the one place)



Spyware
3728 posts

Uber Geek

Lifetime subscriber

  #2302845 21-Aug-2019 11:17
Send private message

Create a UNIQUE network for the tunnels, i.e., on a different network to the VPN server (and different to your other networks). Add a route to the tunnel network to your firewall.


pomtom44

128 posts

Master Geek


  #2302847 21-Aug-2019 11:20
Send private message

Spyware:

 

Create a UNIQUE network for the tunnels, i.e., on a different network to the VPN server (and different to your other networks). Add a route to the tunnel network to your firewall.

 



I have done that
I have set the VPN LAN to 192.168.10.10 and the VPN Client to 192.168.11.0/24 but still get the 10.10 address on the firewall.

 

How / where do I set the route rules? as that may be what im after?




pomtom44

128 posts

Master Geek


  #2302916 21-Aug-2019 12:00
Send private message

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?


BarTender
3598 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2302919 21-Aug-2019 12:01
Send private message

I think you also have NAT / masquerade enabled on your "LAN" interface on your OpenVPN server.

 

So therefor iptables is mangling outbound traffic from the VPN tunnel to your network.

 

That's probably because you hand't added a reverse route into the USG to route the OpenVPN network back via the OpenVPN router. ip_forwarding would also need to be enabled.


Spyware
3728 posts

Uber Geek

Lifetime subscriber

  #2302922 21-Aug-2019 12:09
Send private message

pomtom44:

 

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

 

 

In OpenVPN you define the tunnel retwork with, e.g.,

 

server 192.168.11.0 255.255.255.0

 

You then create a route in the router/firewall to point to 192.168.11.0 (via the address that OpenVPN listens on, the address of the linux box).


pomtom44

128 posts

Master Geek


  #2302923 21-Aug-2019 12:11
Send private message

Spyware:

 

pomtom44:

 

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

 

 

In OpenVPN you define the tunnel retwork with, e.g.,

 

server 192.168.11.0 255.255.255.0

 

You then create a route in the router/firewall to point to 192.168.11.0 (via the address that OpenVPN listens on, the address of the linux box).

 



I still think your mis-understanding my issue?
I dont see how setting routes on the firewall will change my routing issues on the OpenVPN server


pomtom44

128 posts

Master Geek


  #2302926 21-Aug-2019 12:12
Send private message

BarTender:

 

I think you also have NAT / masquerade enabled on your "LAN" interface on your OpenVPN server.

 

So therefor iptables is mangling outbound traffic from the VPN tunnel to your network.

 

That's probably because you hand't added a reverse route into the USG to route the OpenVPN network back via the OpenVPN router. ip_forwarding would also need to be enabled.

 



Ill give that a try and see what happens.


Spyware
3728 posts

Uber Geek

Lifetime subscriber

  #2302927 21-Aug-2019 12:15
Send private message

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.


pomtom44

128 posts

Master Geek


  #2302930 21-Aug-2019 12:23
Send private message

Spyware:

 

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.

 



So the fact that the traffic from my Client is showing the OpenVPN Servers IP address is a problem with my firewall and not the OpenVPN Server?
Sorry but that doesn't sound right to me?


pomtom44

128 posts

Master Geek


  #2302932 21-Aug-2019 12:27
Send private message

Spyware:

 

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.

 




Connect phone to VPN, connects fine with IP 192.168.11.101
Browse to google, loads fine
Look at firewall logs, sees traffic from 192.168.10.10 going to google

Connect Laptop to VPN, Connects fine with IP 192.168.11.102
Browse to google, loads fine
Look at firewall logs, sees traffic from 192.168.10.10 going to google

I dont see how thats an issue with the routing on the firewall?
To me thats an issue with the fact OpenVPN does internal routing between the VPN clients and the LAN interface.


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Māori Artists Launch Design Collection with Cricut ahead of Matariki Day
Posted 15-Jun-2025 11:19


LG Launches Upgraded webOS Hub With Advanced AI
Posted 15-Jun-2025 11:13


One NZ Satellite IoT goes live for customers
Posted 15-Jun-2025 11:10


Bolt Launches in New Zealand
Posted 11-Jun-2025 00:00


Suunto Run Review
Posted 10-Jun-2025 10:44


Freeview Satellite TV Brings HD Viewing to More New Zealanders
Posted 5-Jun-2025 11:50


HP OmniBook Ultra Flip 14-inch Review
Posted 3-Jun-2025 14:40


Flip Phones Are Back as HMD Reimagines an Iconic Style
Posted 30-May-2025 17:06


Hundreds of School Students Receive Laptops Through Spark Partnership With Quadrent's Green Lease
Posted 30-May-2025 16:57


AI Report Reveals Trust Is Key to Unlocking Its Potential in Aotearoa
Posted 30-May-2025 16:55


Galaxy Tab S10 FE Series Brings Intelligent Experiences to the Forefront with Premium, Versatile Design
Posted 30-May-2025 16:14


New OPPO Watch X2 Launches in New Zealand
Posted 29-May-2025 16:08


Synology Premiers a New Lineup of Advanced Data Management Solutions
Posted 29-May-2025 16:04


Dyson Launches Its Slimmest Vaccum Cleaner PencilVac
Posted 29-May-2025 15:50


OPPO Reno13 Pro 5G Review 
Posted 29-May-2025 15:33









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac