[Firewall] NAT, OpenVPN client, and Arno fw

Lonnie Abelbeck lists at lonnie.abelbeck.com
Mon Apr 10 05:10:35 CEST 2017


Mike,

I sounds like if your OpenVPN (server) provider supported "client-config-dir" files based on your CN to route you 192.168.0.0/24 you would be good.  I assume for some reason that can't be done ?

Keep in mind that AIF does not directly effect routing, just filtering and rewriting packets.

I see what you are trying to do, NAT traffic to your OpenVPN tunnel so everything occurs over one IP address ... interesting, I have never done that ... interesting.

How about treating the OpenVPN client "tun0" as an external interface ?
-- untested, just an idea --
EXT_IF="eth1 tun0"
INT_IF="eth0"
INTERNAL_NET="192.168.0.0/24"
NAT_INTERNAL_NET="192.168.0.0/24"
NAT=1
IF_TRUSTS=""
-- untested, just an idea --

When the tunnel is not active then the default 0.0.0.0 route via eth1 will be used, but when the tunnel is active using "redirect-gateway def1" the slightly more specific 128.0.0.0/1 and 0.0.0.0/1 routes will direct the traffic via tun0.

I can't think of any negative security implications of doing this off the top of my head, can you ?  Actually might be better (security wise) but the side effect of adding extra NAT'ing to the path.

Lonnie


On Apr 9, 2017, at 8:42 PM, Mike Klein <mike at kleinnet.com> wrote:

> Lonnie, thanks for the help. (I hope my reply goes into the same thread)
> 
> I am making my way slowly through the concepts of iptables and routing.  I thought it would be a good idea to diagram what I think I am trying to achieve.  See below.  There are two main cases: 1) Normal firewall function, which is already fully implemented on my gateway, and 2) A modification of the NAT function of the gateway to send the outgoing packets through the VPN.
> 
> Is this doable using AIF? I have found many references that partially address this but nothing, to my knowledge, directly. The most promising implementation appears to be:
> 	* In the firewall, in addition to masquerading, mark masqueraded packets
> 	* Build a separate routing table that sets the default route of marked packets to the VPN remote endpoint (.209), via the VPN local endpoint (.210)
> 
> Am I on the right track?
> 
> In answer to your previous questions:
> 
> I can only traceroute to IP addresses, not names.  From the gateway box, the packet goes through the VPN.  From a LAN client, it goes to the gateway’s LAN IP (192.168.0.1) and then nothing.  I don’t believe the VPN provider is routing my internal LAN, as they don’t know anything about it.  I updated firewall.conf as you suggested, and no change.
> 
> 
>    1. Externally originated connection to service provided by gateway, e.g. SMTP, IMAP, etc.
>       Firewall accepts, rejects, port forwards as usual.
>       No change from existing implementation.
> 
> 
>           Originated from Internet
>           
>                                  X.X.X.X                                     192.168.0.1         192.168.0.0/24
>                                              |------------------------|
>           |-------------|       |------|     |                        |       |-------|          |------------|
>           |*************|------>|      |---->|                        |------>|       |--------->|            |
>           |*  Internet *|       | eth1 |     |     FW: accept, rej,   |       | eth0  |          |   LAN      |
>           |*           *|       |      |     |      port forward      |       |       |          |   client   |
>           |*************|<------|      |<----|                        |<------|       |<---------|            |
>           |-------------|       |------|     |                        |       |-------|          |            |
>                                              |------------------------|                          |------------|
> 
>                              \_______________________ Gateway/Firewall __________________/
> 
> 
> 
> 
> 
>    2. Internally originated connection, from LAN client to internet.  Outgoing packets should
>       be NAT'ed (as they are now) but routed through VPN adapter tun0.  Return traffic
>       comes back through VPN.
>       Change from existing implementation: route through tun0 instead of eth1 directly.
> 
> 
>           Originated from Internal LAN Client
> 
>                                 Y.Y.Y.Y      X.X.X.X   10.95.3.210                   192.168.0.1    192.168.0.0/24
>                                                                      |----------|
>           |----------|     |----------|     |------|     |------|    |          |      |------|     |------------|
>           |          |<----|          |<----|      |<----|      |<---|          |<-----|      |<----|************|
>           | Internet |     |   VPN    |     | eth1 |     | tun0 |    | FW: MASQ |      | eth0 |     |*  LAN     *|
>           |          |     | provider |     |      |     |      |    |          |      |      |     |*  client  *|
>           |          |---->|          |---->|      |---->|      |--->|          |----->|      |---->|*          *|
>           |----------|     |----------|     |------|     |------|    |          |      |------|     |************|
>                                                                      |----------|                   |------------|
> 
>                                          \________________ Gateway/Firewall ____________________/
> 
>    Legend:
>        X.X.X.X: public IP of network (static)
>        Y.Y.Y.Y: VPN provider's server IP address
>        192.168.0.0/24: LAN
> 
> 
>    Note: LAN provides local DNS, DHCP, and other typical services which should be consulted by
>          gateway/firewall instead of routing requests to those through the VPN.
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list