[Firewall] NAT, OpenVPN client, and Arno fw

Mike Klein mike at kleinnet.com
Sun Apr 9 01:56:10 CEST 2017

Hello all, I have been running Arno’s FW on a Linux gateway/router with NAT for over a decade now.  It’s currently running Debian 8. No problems.

Recently I have been trying to configure the system to be an OpenVPN client whose outgoing (WAN) traffic from the LAN clients should be fully sent through the VPN, but all LAN traffic should not be affected. Connections to the external interface should be protected by the firewall as before.  Bottom line: the gateway should redirect all outgoing traffic from the LAN through the VPN, but change nothing else.

I have the .ovpn file from the VPN provider, and the tunnel is set up without error.  A variety of options are pushed from the VPN server as listed below.  At the moment I can only ping external IP addresses from the gateway itself, but DNS lookups do not work, and no LAN client traffic is forwarded correctly.

tcpdump shows outgoing packets on tun0, but none coming in (except for the ICMP ping responses to the gateway itself), therefore I suspect a firewall problem.

I have tried numerous hints from various sources, including the suggestions in Lonnie’s post here, http://rocky.eld.leidenuniv.nl/pipermail/firewall/2013-June/002351.html, but there seems to be no change in behavior.

As an example, when the gateway connects to the VPN server, the following options are pushed:
	redirect-gateway def1
	dhcp-options DNS
	topology net30
	ping 10
	ping-restart 60

The resulting routing table looks like this (my ISP’s gateway is X’d out and VPN provider’s server is Y’d out):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface       UG    0      0        0 tun0         XX.XXX.XX.XX         UG    0      0        0 eth1 UGH   0      0        0 tun0 UH    0      0        0 tun0
YY.YY.YYY.YYY   XX.XXX.XX.XX UGH   0      0        0 eth1
XX.XXX.XX.XX U     0      0        0 eth1       UG    0      0        0 tun0   U     0      0        0 eth0

WAN interface is eth1, LAN is eth0.

So far, VPN network IP addresses have varied all over the 10.x.x.x range.

I have attempted to modify firewall.conf with the following:




I have also opened up the OpenVPN port used by the server (it’s not 1194).

Are there any hints on what should be done to get this working?

Thanks for any help,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20170408/a3cb955e/attachment.html>

More information about the Firewall mailing list