Iptables – Configure server to route all traffic through OpenVPN

I have an openvpn setup that is working great. There are some 50 clients connected and everything is handy dandy. I need one of these clients to route all traffic trough the vpn. I setup a ccd for that particular client and added the push "redirect-gateway def1" to it. The routing table seems to be updated in the client. I can access all the hosts in the vpn but can't access anything else outside the vpn. When tracerouting from the client, everything goes to the vpn gateway, but after that not further. I believe the culprit is the iptables configuration in the server.

This is the setup

I have an openvpn using the subnet 10.170.x.x with the vpn gateway at 10.170.0.1 (VPNGATEWAY)
I have different subnet 10.171.x.x that gets its ip assigned via ccd records (this is the admin network and has 3 clients)
The client that I want to have all its traffic trough the vpn is 10.171.0.1 (CLIENT)

From 10.171.0.1 (CLIENT) I can ping 10.170.0.1 (VPNGATEWAY). In fact I can ping all hosts in 10.170.x.x and 10.171.x.x. But can't ping 8.8.8.8.

This is the iptables conf

There are a bunch rules and I took out to make it simpler.

*filter
:INPUT DROP [1000:900000]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 127.0.0.1 -j ACCEPT 

# here were some rules accepting certain ports  22, 80, etc

-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 13 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 30 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 

# this is the client that needs internet thru the gateway
# i've tried to make as permissive as possible but still to no avail
-A INPUT -s 10.171.0.1 -j ACCEPT
-A FORWARD -s 10.171.0.1 -j ACCEPT

-A FORWARD -j REJECT --reject-with icmp-port-unreachable 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
COMMIT

I've additionaly tried adding

iptables -t nat -A POSTROUTING -s 10.171.0.1 -o eth0 -j MASQUERADE

But still no work. Any ideas?

Best Answer

You have these two rules which to permit your traffic. But these rules are probably not what you want.
or at least not only what you want.

-A INPUT -s 10.171.0.1 -j ACCEPT
-A FORWARD -s 10.171.0.1 -j ACCEPT

Your firewall rule set seems to be designed to be stateful, but these two rules are stateless. You either need to add two rules to handle the traffic in the other direction, or add some state matching.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Linux – NAT KVM Guest and Route All Guest Traffic to Host VPNC Connection

Related Topic