Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3


69 posts

Master Geek


  # 2302826 21-Aug-2019 10:51
Send private message quote this post

BarTender:

 

pomtom44: Thats exactly what I said isnt it?

I want to run in TAP mode so the traffic on the LAN uses the Clients IP, so then I can use my current firewall to do my traffic management
Like I do for my current vlans and devices.

I can't do that on TUN mode as my firewall only sees the internal IP of my VPN server and not the client IP thats connecting.

 

The firewall will see the IP addresses allocated in TUN mode so you can apply traffic management. It is just that the traffic will come from a different subnet rather than your current LAN subnet.

 

So in TAP mode you would have

 

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50 and VPN IP addresses 192.168.1.200-192.168.1.210

 

Or something like that. The issue is the client to dish out the IPs is a lot more complicated

 

In TUN mode you would have:

 

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50

 

Then you would also have a network route on the Firewall for 192.168.2.0/24 via 192.168.1.2

 

OpenVPN would have the TUN interface on 192.168.2.1 and hand out IP Addresses on 192.168.2.10-50 or whatever and you would run Avahi on the OpenVPN Server as it would be a router.

 

Then the firewall would need to apply policy to 192.168.1.0/24 and 192.168.2.0/24 based on the traffic management you require.

 

 

This is what I have currently

 

Internet ---> Router/Firewall ---> 192.168.10.0 network ---> 192.168.10.10 (VPN Server) 

If I run in TUN mode I have my OpenVPN server set to hand out 192.168.10.100-200
The traffic I see on my router/firewall all comes from 192.168.10.10 due to the routing happening on the OpenVPN server.

 

EG
I connect my phone, It gets 192.168.10.101,
I browse the web, my firewall sees the traffic from 10.10 not 10.101
So I can't put client level filtering in place on the firewall.

 

 

 

 

 

 

 

 


2306 posts

Uber Geek

Lifetime subscriber

  # 2302830 21-Aug-2019 10:56
One person supports this post
Send private message quote this post

Invent another network for your OpenVPN tunnels and add a route to it to firewall. All done.


 
 
 
 




69 posts

Master Geek


  # 2302838 21-Aug-2019 11:03
Send private message quote this post

Spyware:

 

Invent another network for your OpenVPN tunnels and add a route to it to firewall. All done.

 



I dont see how to do that though

Ill put a post up in a sec with my current network and what im wanting / what im getting




69 posts

Master Geek


  # 2302841 21-Aug-2019 11:10
Send private message quote this post

My current setup

Internet ----> Router ---> VLANS

VLAN 1: General
VLAN 2: Security
VLAN 3: Servers
VLAN 4: VPN

What I have currently is firewall rules on my router (USG) To prevent cross VLAN talk
So people on general cant access my security or servers network

Then i allow certain devices certain access though IP based firewall rules

EG my pc can access the whole security network so I can login to cameras and change settigns
My wife PC can only access the web panel for the security server so she can view recordings (IP:Port filterting)
Anyone can access the web server on the servers network (IP and Port 80/443) ETC

I have my VPN server setup on the VPN VLAN
192.168.10.0/24
Server 192.168.10.10

I want a way so when I login to the VPN from outside the network on say my phone, it gets the IP 192.168.10.101
Or 192.168.11.101 (Depending on if you can use the same network for both sides of teh server or not)

I have that working though TUN mode, and I can get internet.

however my firewall only sees the VPN traffic as 192.168.10.10, the LAN side of the VPN server.
So I cant apply my IP based firewall rules to individual clients as ALL the traffic coming in is showing as 10.10

My understanding is TAP mode should fix this, but Andriod doesnt support TAP (unless I pay the subscription for that app which im trying to avoid)

 

So how do I get around this issue?

I can either map a VPN IP to a Internal IP and do routing on the VPN server for each device.
I can find a way to pass though the IP address correctly
or the last resort, just do my firewall rules on the VPN server and leave it at that (which I want to try avoid so my rules are all in the one place)



2306 posts

Uber Geek

Lifetime subscriber

  # 2302845 21-Aug-2019 11:17
Send private message quote this post

Create a UNIQUE network for the tunnels, i.e., on a different network to the VPN server (and different to your other networks). Add a route to the tunnel network to your firewall.




69 posts

Master Geek


  # 2302847 21-Aug-2019 11:20
Send private message quote this post

Spyware:

 

Create a UNIQUE network for the tunnels, i.e., on a different network to the VPN server (and different to your other networks). Add a route to the tunnel network to your firewall.

 



I have done that
I have set the VPN LAN to 192.168.10.10 and the VPN Client to 192.168.11.0/24 but still get the 10.10 address on the firewall.

 

How / where do I set the route rules? as that may be what im after?


 
 
 
 




69 posts

Master Geek


  # 2302916 21-Aug-2019 12:00
Send private message quote this post

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?


2824 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2302919 21-Aug-2019 12:01
Send private message quote this post

I think you also have NAT / masquerade enabled on your "LAN" interface on your OpenVPN server.

 

So therefor iptables is mangling outbound traffic from the VPN tunnel to your network.

 

That's probably because you hand't added a reverse route into the USG to route the OpenVPN network back via the OpenVPN router. ip_forwarding would also need to be enabled.






2306 posts

Uber Geek

Lifetime subscriber

  # 2302922 21-Aug-2019 12:09
Send private message quote this post

pomtom44:

 

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

 

 

In OpenVPN you define the tunnel retwork with, e.g.,

 

server 192.168.11.0 255.255.255.0

 

You then create a route in the router/firewall to point to 192.168.11.0 (via the address that OpenVPN listens on, the address of the linux box).




69 posts

Master Geek


  # 2302923 21-Aug-2019 12:11
Send private message quote this post

Spyware:

 

pomtom44:

 

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

 

 

In OpenVPN you define the tunnel retwork with, e.g.,

 

server 192.168.11.0 255.255.255.0

 

You then create a route in the router/firewall to point to 192.168.11.0 (via the address that OpenVPN listens on, the address of the linux box).

 



I still think your mis-understanding my issue?
I dont see how setting routes on the firewall will change my routing issues on the OpenVPN server




69 posts

Master Geek


  # 2302926 21-Aug-2019 12:12
Send private message quote this post

BarTender:

 

I think you also have NAT / masquerade enabled on your "LAN" interface on your OpenVPN server.

 

So therefor iptables is mangling outbound traffic from the VPN tunnel to your network.

 

That's probably because you hand't added a reverse route into the USG to route the OpenVPN network back via the OpenVPN router. ip_forwarding would also need to be enabled.

 



Ill give that a try and see what happens.


2306 posts

Uber Geek

Lifetime subscriber

  # 2302927 21-Aug-2019 12:15
One person supports this post
Send private message quote this post

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.




69 posts

Master Geek


  # 2302930 21-Aug-2019 12:23
Send private message quote this post

Spyware:

 

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.

 



So the fact that the traffic from my Client is showing the OpenVPN Servers IP address is a problem with my firewall and not the OpenVPN Server?
Sorry but that doesn't sound right to me?




69 posts

Master Geek


  # 2302932 21-Aug-2019 12:27
Send private message quote this post

Spyware:

 

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.

 




Connect phone to VPN, connects fine with IP 192.168.11.101
Browse to google, loads fine
Look at firewall logs, sees traffic from 192.168.10.10 going to google

Connect Laptop to VPN, Connects fine with IP 192.168.11.102
Browse to google, loads fine
Look at firewall logs, sees traffic from 192.168.10.10 going to google

I dont see how thats an issue with the routing on the firewall?
To me thats an issue with the fact OpenVPN does internal routing between the VPN clients and the LAN interface.


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35


Amazon Studios announces New Zealand as location for its upcoming series based on The Lord of the Rings
Posted 18-Sep-2019 17:24


The Warehouse chooses Elasticsearch service
Posted 18-Sep-2019 13:55


Voyager upgrades core network to 100Gbit
Posted 18-Sep-2019 13:52


Streaming service Acorn TV launches in New Zealand with selection with British shows
Posted 18-Sep-2019 08:55


Bitcoin.com announces partnership with smartphone manufacturer HTC
Posted 16-Sep-2019 21:30


Finalists Announced for Microsoft NZ Partner Awards
Posted 16-Sep-2019 19:37


OPPO Showcases New CameraX Capabilities at Google Developer Days China 2019
Posted 15-Sep-2019 12:42


New Zealand PC Market returns to growth
Posted 15-Sep-2019 12:24


Home sensor charity director speaks about the preventable death which drives her to push for healthy homes
Posted 11-Sep-2019 08:46


Te ao Maori Minecraft world set to inspire Kiwi students
Posted 11-Sep-2019 08:43


Research reveals The Power of Games in New Zealand
Posted 11-Sep-2019 08:40


Ring Door View Cam now available in New Zealand
Posted 11-Sep-2019 08:38


Vodafone NZ to create X Squad
Posted 10-Sep-2019 10:25


Huawei nova 5T to be available 20th September
Posted 5-Sep-2019 11:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.