OpenVPN Client to OpenVPN Server NAT

Issues related to configuring your network
Post Reply
meluvalli
Posts: 12
Joined: 2019/08/09 20:59:14

OpenVPN Client to OpenVPN Server NAT

Post by meluvalli » 2019/08/15 09:54:05

Hello.

I am wanting to allow someone from Site B's WAN access something on Site A's network. I am not sure how to configure the server Side of OpenVPN to allow this.

Example:
Site B External IP: 20.0.0.100
Site B Internal Network 10.0.0.1/24

Site A Internal Network 10.2.0.1/24

So, if someone tries to access for example http://20.0.0.100 it would return a webpage on 10.2.0.20.

I already have Site B NAT firewall open to redirect to 10.2.0.20, but for some reason it never gets to it.

From Site B, I can access 10.2.0.20 directly.

I have the VPN tunnel in Trusted zone.

Any thoughts? I have a feeling it is an issue with the Site A's side not knowing how to return the traffic back through the VPN. (But I'm not 100% sure of this)

meluvalli
Posts: 12
Joined: 2019/08/09 20:59:14

Re: OpenVPN Client to OpenVPN Server NAT

Post by meluvalli » 2019/08/15 10:04:40

I have confirmed that the OpenVPN Server sees the connection with TCPdump, but my client on Site A doesn't respond... So it appears I'm correct on my thinking that the client doesn't know to go back through the VPN to reply to the connection!

I assume I need some kinda firewall rule to return the traffic back through the VPN?

TCPDump on VPN interface:

Code: Select all

05:11:51.469921 IP mobile-107-74-209-15.mobile.att.net.49349 > 10.2.0.20.http: Flags [SEW], seq 3212455358, win 14400, options [mss 1335,sackOK,TS val 236314729 ecr 0,nop,wscale 8], length 0

meluvalli
Posts: 12
Joined: 2019/08/09 20:59:14

Re: OpenVPN Client to OpenVPN Server NAT

Post by meluvalli » 2019/08/16 08:37:32

Well... I found a site that says to do this:

add ovpns1-route to /etc/iproute2/rt_tables

then run the following commands:

Code: Select all

# Populate secondary routing table
ip route add default via 192.168.2.1 dev ovpns1 table ovpns-route
# Anything with this fwmark will use the secondary routing table
ip rule add fwmark 0x1 table ovpns-route
# Mark these packets so that iproute can route it through ovpns-route
iptables -A OUTPUT -t mangle -o eth1 -p tcp --dport 80 -j MARK --set-mark 1
# now rewrite the src-addr
iptables -A POSTROUTING -t nat -o wlan0 -p tcp --dport 80 -j SNAT --to 192.168.2.1

However, I can't get it to work with this. So, I tried adding the rules in direct.xml like below:

Code: Select all

  <rule priority="0" table="mangle" ipv="ipv4" chain="OUTPUT">-o eth1 -p tcp --dport 80 -j MARK --set-mark 1</rule>
  <rule priority="0" table="nat" ipv="ipv4" chain="POSTROUTING">-o ovpns1 -p tcp --dport 80 -j SNAT --to 192.168.2.1</rule>
But still no joy :(....

eth1 is my WAN side. I tried same thing with eth0 (LAN Side), but still didn't work.

My VPNs interface is ovpns1

still at ground zero on this :(

Post Reply

Return to “CentOS 7 - Networking Support”