Openvpn ping to lan clients

vpn

I would need help in this case:

I have a tap0 interface at my openvpn server with ip 10.22.8.1

My eth0 interface is 192.168.1.155

Route tables:

192.168.1.0 – 0.0.0.0 – 255.255.255.0 – eth0

10.22.8.0 – 10.22.8.1 – 255.255.255.0 – tap0

0.0.0.0 – 192.168.1.10 – 0.0.0.0 – eth0

With the following rules I can ping from my lan to the vpn clients:

iptables -v -t nat -A PREROUTING -i eth0 -d 192.168.10.0/24 -j NETMAP –to 10.22.8.0/24

iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

I have a route 192.168.10.0 in the lan client to my vpn server.
Tcpdump shows that packets redirect from eth0 to tap0 and the netmap works.

But when I try the opposite I can not ping from the vpn clients to my lan

iptables -v -t nat -A PREROUTING -i tap0 -d 10.22.8.0/24 -j NETMAP –to 192.168.1.0/24

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The tcpdump shows that packets reach tap0 but does not go to the eth0. It is like the netmap rule would not work.

Could you help me?
What am I doing wrong?

Best Answer

you're doing it wrong.

1st - use layer 3 connections instead of layer 2 for vpn. Saves traffic.

2nd - use brouting to get the trick done with proxy-arp and assing ip addresses from the local subnet to the vpn clients - so they just appear as they're local

3rd - or use routing and set the route to the clients in the 10.22.8/24 subnet on all systems in the 192.168.1.0/network OR just use the vpn system as the default gateway to avoid routing problems...

Using brouting:

  • Enable proxy_arp on the linux router: echo 1 > /proc/sys/net/ipv4/conf/proxy_arp
  • Add the route of the subnet to eth0 if not happened automagically

  • Add the route of a subnet of the local subnet to the tun device from openvpn.

    Lets say we're going to use the last 16 IP-addresses for the hosts on the vpn (192.168.1.240 - 192.168.1.255) that means we have a 28 bits subnet 192.168.1.240/28. Create the tun device static (openvpn --mktun) and then add the route for the vpn subnet to the device ip route add 192.168.1.240/28 dev tun0

After this, and after enabling ip forwarding and proxy arp the linux system will "broute" all requests from the local clients to the clients at the vpn end and vice versa.

And you have an layer 3 vpn (faster, less traffic) with layer 2 connectivity and fully transparent access to all systems.

Filtering and everything else can be done via iptables.

KR,

Gromit

Related Topic