[Firewall] NAT, OpenVPN client, and Arno fw

Mike Klein mike at kleinnet.com
Sun Apr 9 01:56:10 CEST 2017


Hello all, I have been running Arno’s FW on a Linux gateway/router with NAT for over a decade now.  It’s currently running Debian 8. No problems.

Recently I have been trying to configure the system to be an OpenVPN client whose outgoing (WAN) traffic from the LAN clients should be fully sent through the VPN, but all LAN traffic should not be affected. Connections to the external interface should be protected by the firewall as before.  Bottom line: the gateway should redirect all outgoing traffic from the LAN through the VPN, but change nothing else.

I have the .ovpn file from the VPN provider, and the tunnel is set up without error.  A variety of options are pushed from the VPN server as listed below.  At the moment I can only ping external IP addresses from the gateway itself, but DNS lookups do not work, and no LAN client traffic is forwarded correctly.

tcpdump shows outgoing packets on tun0, but none coming in (except for the ICMP ping responses to the gateway itself), therefore I suspect a firewall problem.

I have tried numerous hints from various sources, including the suggestions in Lonnie’s post here, http://rocky.eld.leidenuniv.nl/pipermail/firewall/2013-June/002351.html, but there seems to be no change in behavior.

As an example, when the gateway connects to the VPN server, the following options are pushed:
	redirect-gateway def1
	dhcp-options DNS 10.95.0.1
	route 10.95.0.1
	topology net30
	ping 10
	ping-restart 60
	ifconfig 10.95.3.210 10.95.3.209

The resulting routing table looks like this (my ISP’s gateway is X’d out and VPN provider’s server is Y’d out):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.95.3.109     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         XX.XXX.XX.XX    0.0.0.0         UG    0      0        0 eth1
10.95.0.1       10.95.3.109     255.255.255.255 UGH   0      0        0 tun0
10.95.3.109     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
YY.YY.YYY.YYY   XX.XXX.XX.XX    255.255.255.255 UGH   0      0        0 eth1
XX.XXX.XX.XX    0.0.0.0         255.255.255.252 U     0      0        0 eth1
128.0.0.0       10.95.3.109     128.0.0.0       UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

WAN interface is eth1, LAN 192.168.0.0/24 is eth0.

So far, VPN network IP addresses have varied all over the 10.x.x.x range.

I have attempted to modify firewall.conf with the following:

TRUSTED_IF=“$INT_IF tun0”

IF_TRUSTS=“$INT_IF tun0”

INTERNAL_NET=“192.168.0.0/24 10.0.0.0/8"

I have also opened up the OpenVPN port used by the server (it’s not 1194).

Are there any hints on what should be done to get this working?

Thanks for any help,

		-Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20170408/a3cb955e/attachment.html>


More information about the Firewall mailing list