Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3


89 posts

Master Geek


  #2302826 21-Aug-2019 10:51
Send private message

BarTender:

 

pomtom44: Thats exactly what I said isnt it?

I want to run in TAP mode so the traffic on the LAN uses the Clients IP, so then I can use my current firewall to do my traffic management
Like I do for my current vlans and devices.

I can't do that on TUN mode as my firewall only sees the internal IP of my VPN server and not the client IP thats connecting.

 

The firewall will see the IP addresses allocated in TUN mode so you can apply traffic management. It is just that the traffic will come from a different subnet rather than your current LAN subnet.

 

So in TAP mode you would have

 

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50 and VPN IP addresses 192.168.1.200-192.168.1.210

 

Or something like that. The issue is the client to dish out the IPs is a lot more complicated

 

In TUN mode you would have:

 

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50

 

Then you would also have a network route on the Firewall for 192.168.2.0/24 via 192.168.1.2

 

OpenVPN would have the TUN interface on 192.168.2.1 and hand out IP Addresses on 192.168.2.10-50 or whatever and you would run Avahi on the OpenVPN Server as it would be a router.

 

Then the firewall would need to apply policy to 192.168.1.0/24 and 192.168.2.0/24 based on the traffic management you require.

 

 

This is what I have currently

 

Internet ---> Router/Firewall ---> 192.168.10.0 network ---> 192.168.10.10 (VPN Server) 

If I run in TUN mode I have my OpenVPN server set to hand out 192.168.10.100-200
The traffic I see on my router/firewall all comes from 192.168.10.10 due to the routing happening on the OpenVPN server.

 

EG
I connect my phone, It gets 192.168.10.101,
I browse the web, my firewall sees the traffic from 10.10 not 10.101
So I can't put client level filtering in place on the firewall.

 

 

 

 

 

 

 

 


2435 posts

Uber Geek

Lifetime subscriber

  #2302830 21-Aug-2019 10:56
One person supports this post
Send private message

Invent another network for your OpenVPN tunnels and add a route to it to firewall. All done.


 
 
 
 




89 posts

Master Geek


  #2302838 21-Aug-2019 11:03
Send private message

Spyware:

 

Invent another network for your OpenVPN tunnels and add a route to it to firewall. All done.

 



I dont see how to do that though

Ill put a post up in a sec with my current network and what im wanting / what im getting




89 posts

Master Geek


  #2302841 21-Aug-2019 11:10
Send private message

My current setup

Internet ----> Router ---> VLANS

VLAN 1: General
VLAN 2: Security
VLAN 3: Servers
VLAN 4: VPN

What I have currently is firewall rules on my router (USG) To prevent cross VLAN talk
So people on general cant access my security or servers network

Then i allow certain devices certain access though IP based firewall rules

EG my pc can access the whole security network so I can login to cameras and change settigns
My wife PC can only access the web panel for the security server so she can view recordings (IP:Port filterting)
Anyone can access the web server on the servers network (IP and Port 80/443) ETC

I have my VPN server setup on the VPN VLAN
192.168.10.0/24
Server 192.168.10.10

I want a way so when I login to the VPN from outside the network on say my phone, it gets the IP 192.168.10.101
Or 192.168.11.101 (Depending on if you can use the same network for both sides of teh server or not)

I have that working though TUN mode, and I can get internet.

however my firewall only sees the VPN traffic as 192.168.10.10, the LAN side of the VPN server.
So I cant apply my IP based firewall rules to individual clients as ALL the traffic coming in is showing as 10.10

My understanding is TAP mode should fix this, but Andriod doesnt support TAP (unless I pay the subscription for that app which im trying to avoid)

 

So how do I get around this issue?

I can either map a VPN IP to a Internal IP and do routing on the VPN server for each device.
I can find a way to pass though the IP address correctly
or the last resort, just do my firewall rules on the VPN server and leave it at that (which I want to try avoid so my rules are all in the one place)



2435 posts

Uber Geek

Lifetime subscriber

  #2302845 21-Aug-2019 11:17
Send private message

Create a UNIQUE network for the tunnels, i.e., on a different network to the VPN server (and different to your other networks). Add a route to the tunnel network to your firewall.




89 posts

Master Geek


  #2302847 21-Aug-2019 11:20
Send private message

Spyware:

 

Create a UNIQUE network for the tunnels, i.e., on a different network to the VPN server (and different to your other networks). Add a route to the tunnel network to your firewall.

 



I have done that
I have set the VPN LAN to 192.168.10.10 and the VPN Client to 192.168.11.0/24 but still get the 10.10 address on the firewall.

 

How / where do I set the route rules? as that may be what im after?


 
 
 
 




89 posts

Master Geek


  #2302916 21-Aug-2019 12:00
Send private message

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?


2977 posts

Uber Geek

Trusted
Lifetime subscriber

  #2302919 21-Aug-2019 12:01
Send private message

I think you also have NAT / masquerade enabled on your "LAN" interface on your OpenVPN server.

 

So therefor iptables is mangling outbound traffic from the VPN tunnel to your network.

 

That's probably because you hand't added a reverse route into the USG to route the OpenVPN network back via the OpenVPN router. ip_forwarding would also need to be enabled.





and


2435 posts

Uber Geek

Lifetime subscriber

  #2302922 21-Aug-2019 12:09
Send private message

pomtom44:

 

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

 

 

In OpenVPN you define the tunnel retwork with, e.g.,

 

server 192.168.11.0 255.255.255.0

 

You then create a route in the router/firewall to point to 192.168.11.0 (via the address that OpenVPN listens on, the address of the linux box).




89 posts

Master Geek


  #2302923 21-Aug-2019 12:11
Send private message

Spyware:

 

pomtom44:

 

Spyware:

 

https://community.ui.com/questions/static-routing-thru-CLI/2e5351cc-64af-4162-975f-5583281f8ba2

 



Thats set on the firewall though?

I dont see how that helps with the OpenVPN routing issues?

 

 

In OpenVPN you define the tunnel retwork with, e.g.,

 

server 192.168.11.0 255.255.255.0

 

You then create a route in the router/firewall to point to 192.168.11.0 (via the address that OpenVPN listens on, the address of the linux box).

 



I still think your mis-understanding my issue?
I dont see how setting routes on the firewall will change my routing issues on the OpenVPN server




89 posts

Master Geek


  #2302926 21-Aug-2019 12:12
Send private message

BarTender:

 

I think you also have NAT / masquerade enabled on your "LAN" interface on your OpenVPN server.

 

So therefor iptables is mangling outbound traffic from the VPN tunnel to your network.

 

That's probably because you hand't added a reverse route into the USG to route the OpenVPN network back via the OpenVPN router. ip_forwarding would also need to be enabled.

 



Ill give that a try and see what happens.


2435 posts

Uber Geek

Lifetime subscriber

  #2302927 21-Aug-2019 12:15
One person supports this post
Send private message

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.




89 posts

Master Geek


  #2302930 21-Aug-2019 12:23
Send private message

Spyware:

 

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.

 



So the fact that the traffic from my Client is showing the OpenVPN Servers IP address is a problem with my firewall and not the OpenVPN Server?
Sorry but that doesn't sound right to me?




89 posts

Master Geek


  #2302932 21-Aug-2019 12:27
Send private message

Spyware:

 

OpenVPN has no issue. The problem is simply to do with being able to route between networks, without a return route on the firewall no routing can occur between the tunnel and your other networks, that simple.

 




Connect phone to VPN, connects fine with IP 192.168.11.101
Browse to google, loads fine
Look at firewall logs, sees traffic from 192.168.10.10 going to google

Connect Laptop to VPN, Connects fine with IP 192.168.11.102
Browse to google, loads fine
Look at firewall logs, sees traffic from 192.168.10.10 going to google

I dont see how thats an issue with the routing on the firewall?
To me thats an issue with the fact OpenVPN does internal routing between the VPN clients and the LAN interface.


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Vodafone mobile data plans with unlimited data
Posted 26-Feb-2020 06:55


Vodafone launches innovation initiatives to help businesses use 5G
Posted 26-Feb-2020 05:00


Ultimate Ears HYPERBOOM brings massive sound and extreme bass
Posted 25-Feb-2020 09:00


Withings launches three new devices to help monitor heart health from home
Posted 13-Feb-2020 20:05


Auckland start-up Yourcar matches new car buyers with dealerships
Posted 13-Feb-2020 18:05


School gardens go high tech to teach kids the importance of technology
Posted 13-Feb-2020 11:10


Malwarebytes finds Mac threats outpace Windows for the first time
Posted 13-Feb-2020 08:01


Amazon launches Echo Show 8 in Australia and New Zealand
Posted 8-Feb-2020 20:36


Vodafone New Zealand starts two year partnership with LetsPlay.Live
Posted 28-Jan-2020 11:24


Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26


New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25


N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22


Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.