[Firewall] NAT, OpenVPN client, and Arno fw
mike at kleinnet.com
Sun Apr 9 01:56:10 CEST 2017
Hello all, I have been running Arno’s FW on a Linux gateway/router with NAT for over a decade now. It’s currently running Debian 8. No problems.
Recently I have been trying to configure the system to be an OpenVPN client whose outgoing (WAN) traffic from the LAN clients should be fully sent through the VPN, but all LAN traffic should not be affected. Connections to the external interface should be protected by the firewall as before. Bottom line: the gateway should redirect all outgoing traffic from the LAN through the VPN, but change nothing else.
I have the .ovpn file from the VPN provider, and the tunnel is set up without error. A variety of options are pushed from the VPN server as listed below. At the moment I can only ping external IP addresses from the gateway itself, but DNS lookups do not work, and no LAN client traffic is forwarded correctly.
tcpdump shows outgoing packets on tun0, but none coming in (except for the ICMP ping responses to the gateway itself), therefore I suspect a firewall problem.
I have tried numerous hints from various sources, including the suggestions in Lonnie’s post here, http://rocky.eld.leidenuniv.nl/pipermail/firewall/2013-June/002351.html, but there seems to be no change in behavior.
As an example, when the gateway connects to the VPN server, the following options are pushed:
dhcp-options DNS 10.95.0.1
ifconfig 10.95.3.210 10.95.3.209
The resulting routing table looks like this (my ISP’s gateway is X’d out and VPN provider’s server is Y’d out):
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.95.3.109 184.108.40.206 UG 0 0 0 tun0
0.0.0.0 XX.XXX.XX.XX 0.0.0.0 UG 0 0 0 eth1
10.95.0.1 10.95.3.109 255.255.255.255 UGH 0 0 0 tun0
10.95.3.109 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
YY.YY.YYY.YYY XX.XXX.XX.XX 255.255.255.255 UGH 0 0 0 eth1
XX.XXX.XX.XX 0.0.0.0 255.255.255.252 U 0 0 0 eth1
220.127.116.11 10.95.3.109 18.104.22.168 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
WAN interface is eth1, LAN 192.168.0.0/24 is eth0.
So far, VPN network IP addresses have varied all over the 10.x.x.x range.
I have attempted to modify firewall.conf with the following:
I have also opened up the OpenVPN port used by the server (it’s not 1194).
Are there any hints on what should be done to get this working?
Thanks for any help,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Firewall