Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
785 posts

Ultimate Geek
+1 received by user: 247

Trusted
Subscriber

  Reply # 1365917 13-Aug-2015 22:17
Send private message

Hi,

I've just double-checked that this works, and it does (but there is a trick to it!)

OK, I've got a Windows server (in AWS) configured as 172.31.100.10, and a Linux OpenVPN g/w which is internally 172.31.100.20; my local PC is a 192.168.10.x address on my WiFi router.  The OpenVPN box is using Amazon Public IP addressing via an Amazon Elastic IP; so it is reachable via the internet.

On the server side, the config is:

topology subnet
server 10.8.0.0 255.255.255.0
push "route 172.31.100.0 255.255.255.0"

So, a standard routing config with a route pushed back.

The OpenVPN client just specifies the Amazon public IP for the OpenVPN server, and obviously the required certs.

However, and this may where you're having trouble, for Windows 7/8/10 (well, Vista and above, I think) you need to be running the OpenVPN GUI with Administrator rights (i.e. right-click and choose "Run as Administrator").

Yes, that sucks; but if you don't do that, then the OpenVPN client doesn't have permissions to add the route to Windows.

The other thing that is required is to make sure that the Linux side has IP_FORWARDING enabled.  Easiest way to check is:

# cat /proc/sys/net/ipv4/ip_forward

it should return "1".  If it says "0", then you'll have trouble.  To enable, as root, "echo 1 > /proc/sys/net/ipv4/ip_forward".

Next trick: In my case, I've configured the OpenVPN box to NAT the connections:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

So, that puts a rule into the Linux box which makes the incoming OpenVPN traffic appear to be the Linux box to anything else on it's inside subnet (i.e. the 172.31.100.x network).

Of course, you could just put a route back to the 10.8.0.0 subnet on each of the other boxes you want to talk to, but I find that little NAT rule easier.

Hope that helps!

1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1365922 13-Aug-2015 22:29
Send private message

Thanks James - really appreciate your efforts there!

So I was already running the openVPN client as Administrator (noticed the errors adding the routes before so picked up on that one).

I have also checked that IP forwarding is *on* for my openVPN host. Tick.

The last thing is the NAT - this is where I get a little lost. I had read about something similar on the web and had added the following to /etc/network/interfaces on my openVPN host;

   post-up iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.100

I am not really sure if that is correct, but it looks similar to what you have, but obviously not the same.

I have a load of hosts I want to access so don't really want to manually add routes to them all, so some sort of *trick* like this would be much preferrable. 

If possible, could you explain how to setup that NAT rule in more detail? It looks like the only thing I missing!

Thanks again!

 
 
 
 


1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1365964 13-Aug-2015 22:52
Send private message

Tried updating my /etc/network/interfaces to;

auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.1

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

i.e. the same as yours (I think) but still no good. 

My lack of network nous is my biggest problem here, but I can't imagine this sort of thing is this hard to setup - surely it is a pretty typical setup?

Anyway - thanks again for your help - I will keep reading and learning - hopefully I will have the *lightbulb* moment soon!

Cheers,
Ben

785 posts

Ultimate Geek
+1 received by user: 247

Trusted
Subscriber

  Reply # 1366276 14-Aug-2015 12:36
Send private message

SumnerBoy: Tried updating my /etc/network/interfaces to;

auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.1

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

i.e. the same as yours (I think) but still no good. 

Sounds like you're using a Debian-based distro (Ubuntu, if I had to guess).

I'm not sure how clever the "post-up" script processing is, so it may not be getting the IO redirection correct for the ip_forwarding.

Try editing /etc/sysctl.conf; there should be a couple of lines like this:

 

# Uncomment the next line to enable packet forwarding for IPv4

 

#net.ipv4.ip_forward=1

 

As it says, uncomment the 2nd one, and then force a re-read with

sudo sysctl -p /etc/sysctl.conf

Also, would pay to check if the iptables rule was implemented by

sudo iptables -L -t nat

to print the table NAT table and make sure the rule is there.

1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1366277 14-Aug-2015 12:38
Send private message

Correct - Debian 8 actually - although the stick-in-the-mud is the fact I am trying to do this in an OpenVZ container (on a Proxmox host).

Thanks for your help - I am going to keep plugging away and hopefully have a eureka moment soon!

1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1366809 15-Aug-2015 11:21
One person supports this post
Send private message

BINGO! Solved it - the issue was the fact my OpenVZ container did not have NAT tables enabled - since Proxmox disables them by default. After adding *iptable_nat* to the IPTABLES config setting in /etc/vz/vz.conf on my host and restarting, I was able to add the IP route and all of a sudden I can see everything on my LAN when connected over openVPN. I think my original config was probably correct but because NAT wasn't enabled the routes were not being created (there was probably a log somewhere telling me this!).

So in /etc/vz/vz/conf on my host;

    IPTABLES="iptable_nat ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

Then in /etc/network/interfaces in my container running openVPN;

    auto eth0
    iface eth0 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1

        post-up iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.100
        post-down iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.100

Thanks for your patience and assistance James - not sure I would have figured this out without your help!




1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.