I’m trying to do the setup of a IPSEC / XL2TPD VPN for our office, and I’m having some problems accessing the remote local machines after connecting to the VPN.
I can connect, and I can browse Internet sites trough the VPN, but as said, I’m unable to connect or even ping the local ones.
My Network setup is something like this:
INTERNET > eth0 > ROUTER / VPN > eth2 > LAN
These are some traceroutes behind the VPN:
traceroute to google.com (173.194.78.94), 64 hops max, 52 byte packets
1 192.168.1.80 (192.168.1.80) 74.738 ms 71.476 ms 70.123 ms
2 10.35.192.1 (10.35.192.1) 77.832 ms 77.578 ms 77.865 ms
3 10.47.243.137 (10.47.243.137) 78.837 ms 85.409 ms 76.032 ms
4 10.47.242.129 (10.47.242.129) 78.069 ms 80.054 ms 77.778 ms
5 10.254.4.2 (10.254.4.2) 86.174 ms
10.254.4.6 (10.254.4.6) 85.687 ms
10.254.4.2 (10.254.4.2) 85.664 ms
traceroute to 192.168.1.3 (192.168.1.3), 64 hops max, 52 byte packets
1 * * *
2 *traceroute: sendto: No route to host
traceroute: wrote 192.168.1.3 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 192.168.1.3 52 chars, ret=-1
*
traceroute: sendto: Host is down
3 traceroute: wrote 192.168.1.3 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 192.168.1.3 52 chars, ret=-1
These are my iptables rules:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow lan to router traffic
iptables -A INPUT -s 192.168.1.0/24 -i eth2 -j ACCEPT
# ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# vpn
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT
# dns
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
# logging
iptables -I INPUT 5 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7
# block all other traffic
iptables -A INPUT -j DROP
And here are some firewall log lines:
Dec 6 11:11:57 router kernel: [8725820.003323] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=192.168.1.3 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=62174 PROTO=UDP SPT=61910 DPT=53 LEN=40
Dec 6 11:12:29 router kernel: [8725852.035826] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=15344 PROTO=UDP SPT=56329 DPT=8612 LEN=24
Dec 6 11:12:36 router kernel: [8725859.121606] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11767 PROTO=UDP SPT=63962 DPT=8612 LEN=24
Dec 6 11:12:44 router kernel: [8725866.203656] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11679 PROTO=UDP SPT=57101 DPT=8612 LEN=24
Dec 6 11:12:51 router kernel: [8725873.285979] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=39165 PROTO=UDP SPT=62625 DPT=8612 LEN=24
I’m pretty sure that the problem should be related with iptables, but after trying a lot of different confs, I was unable to find the right one.
Any help will be greetly appreciated ;). Kind regards, Simon.
EDIT:
This is my route table:
default 62.43.193.33.st 0.0.0.0 UG 100 0 0 eth0
62.43.193.32 * 255.255.255.224 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
192.168.1.81 * 255.255.255.255 UH 0 0 0 ppp0
Best Answer
You are very likely having the exact same issue as this post
Your situation is as follow:
VPN client can reach VPN server and tunnel through VPN to the internet, but cannot reach server LAN nor any other VPN clients ip.
Tunneling to the internet work because you have iptables NAT rule. The rest you need to apply the following ON THE VPN SERVER:
Enable tcp/ip forwarding
Linux TCP/IP stack by default does not forward packets (either between interfaces or re-routing them between IP network). It has to be enabled
Without that, VPN server will accept VPN client packet locally, and route client packet according to NAT rule, but will not route traffic to local network.
Iptables
Iptables block all traffic by default. You need rules to allow traffic to get through(forward).
PS: Each vpn connection is an individual(virtual) interface(nic), to allow packet to flow/route between them, you need FORWARD in iptables.
/etc/l2tpd.conf
When vpn client need to talk to each together, the vpn server is acting as a routing point and need to be on the same netowrk.
Modify the above according to your network setup. If your vpn server has a 192.168.1.x ip, use it for the "local ip".
Modified Iptables script
Be very careful if you don't have physical access to the vpn server.
(This script will need anti-spoofing on the wan interface, but lets focus on getting traffic from vpn to lan 1st.)