[Firewall] NAT, OpenVPN client, and Arno fw

Lonnie Abelbeck lists at lonnie.abelbeck.com
Sun Apr 9 15:13:55 CEST 2017


Hi Mike,

It could be a firewall issue, or a missing route ... but it can be made to work :-)

Some random thoughts:

1) Use "traceroute -n google.com" on your Debian 8 router box to follow the path through the VPN.  Work ?

2) Use "traceroute -n google.com" off a LAN device to follow the path through the VPN.

3) Is your provider routing 192.168.0.0/24 back to you over OpenVPN ?  Often done on the server end via a "iroute 192.168.0.0 255.255.255.0" in a ccd file in "client-config-dir /etc/openvpn/ccd" (all on the server end).

4) In your firewall.conf (temporarily) set "FORWARD_DROP_LOG=1" to log any dropped forward packets, often a helpful clue if a firewall issue.

5) Personally I would not use TRUSTED_IF (though not your problem), I would use:
--
EXT_IF="eth1"
INT_IF="eth0 tun0"
INTERNAL_NET="192.168.0.0/24 10.0.0.0/8"
NAT_INTERNAL_NET="192.168.0.0/24"
NAT=1
IF_TRUSTS="eth0 tun0"
--
Also no need to open the OpenVPN port on the client side.

6) From the command line run "arno-iptables-firewall restart" to check for any errors.

7) Your original post shows double-quotes are the non-ASCII “ char not the ASCII " character, just make sure no non-ASCII quotes got copy-pasted into your firewall.conf .

Hope this helps.

Lonnie


On Apr 8, 2017, at 6:56 PM, Mike Klein <mike at kleinnet.com> wrote:

> Hello all, I have been running Arno’s FW on a Linux gateway/router with NAT for over a decade now.  It’s currently running Debian 8. No problems.
> 
> Recently I have been trying to configure the system to be an OpenVPN client whose outgoing (WAN) traffic from the LAN clients should be fully sent through the VPN, but all LAN traffic should not be affected. Connections to the external interface should be protected by the firewall as before.  Bottom line: the gateway should redirect all outgoing traffic from the LAN through the VPN, but change nothing else.
> 
> I have the .ovpn file from the VPN provider, and the tunnel is set up without error.  A variety of options are pushed from the VPN server as listed below.  At the moment I can only ping external IP addresses from the gateway itself, but DNS lookups do not work, and no LAN client traffic is forwarded correctly.
> 
> tcpdump shows outgoing packets on tun0, but none coming in (except for the ICMP ping responses to the gateway itself), therefore I suspect a firewall problem.
> 
> I have tried numerous hints from various sources, including the suggestions in Lonnie’s post here, http://rocky.eld.leidenuniv.nl/pipermail/firewall/2013-June/002351.html, but there seems to be no change in behavior.
> 
> As an example, when the gateway connects to the VPN server, the following options are pushed:
> 	redirect-gateway def1
> 	dhcp-options DNS 10.95.0.1
> 	route 10.95.0.1
> 	topology net30
> 	ping 10
> 	ping-restart 60
> 	ifconfig 10.95.3.210 10.95.3.209
> 
> The resulting routing table looks like this (my ISP’s gateway is X’d out and VPN provider’s server is Y’d out):
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 0.0.0.0         10.95.3.109     128.0.0.0       UG    0      0        0 tun0
> 0.0.0.0         XX.XXX.XX.XX    0.0.0.0         UG    0      0        0 eth1
> 10.95.0.1       10.95.3.109     255.255.255.255 UGH   0      0        0 tun0
> 10.95.3.109     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
> YY.YY.YYY.YYY   XX.XXX.XX.XX    255.255.255.255 UGH   0      0        0 eth1
> XX.XXX.XX.XX    0.0.0.0         255.255.255.252 U     0      0        0 eth1
> 128.0.0.0       10.95.3.109     128.0.0.0       UG    0      0        0 tun0
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 
> WAN interface is eth1, LAN 192.168.0.0/24 is eth0.
> 
> So far, VPN network IP addresses have varied all over the 10.x.x.x range.
> 
> I have attempted to modify firewall.conf with the following:
> 
> TRUSTED_IF=“$INT_IF tun0”
> 
> IF_TRUSTS=“$INT_IF tun0”
> 
> INTERNAL_NET=“192.168.0.0/24 10.0.0.0/8"
> 
> I have also opened up the OpenVPN port used by the server (it’s not 1194).
> 
> Are there any hints on what should be done to get this working?
> 
> Thanks for any help,
> 
> 		-Mike
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list