How to access remote lan machines through a ipsec / xl2ptd vpn (maybe iptables related)

vpn iptables ipsec l2tp

7,765

You are very likely having the exact same issue as this post

Your situation is as follow:

VPN client can reach VPN server and tunnel through VPN to the internet, but cannot reach server LAN nor any other VPN clients ip.

Tunneling to the internet work because you have iptables NAT rule. The rest you need to apply the following ON THE VPN SERVER:

Enable tcp/ip forwarding

Linux TCP/IP stack by default does not forward packets (either between interfaces or re-routing them between IP network). It has to be enabled

echo 1 > /proc/sys/net/ipv4/ip_forward

Without that, VPN server will accept VPN client packet locally, and route client packet according to NAT rule, but will not route traffic to local network.

Iptables

Iptables block all traffic by default. You need rules to allow traffic to get through(forward).

$IPTABLES -A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT

PS: Each vpn connection is an individual(virtual) interface(nic), to allow packet to flow/route between them, you need FORWARD in iptables.

/etc/l2tpd.conf

When vpn client need to talk to each together, the vpn server is acting as a routing point and need to be on the same netowrk.

local ip 192.168.1.1
ip range 192.168.1.2 - 192.168.1.254

Modify the above according to your network setup. If your vpn server has a 192.168.1.x ip, use it for the "local ip".

Modified Iptables script

Be very careful if you don't have physical access to the vpn server.

(This script will need anti-spoofing on the wan interface, but lets focus on getting traffic from vpn to lan 1st.)

# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# NAT
# -- iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
#
# Updated NAT rule
#   External interface  = eth0
#   External IP     = 123.123.123.123
#   Internal LAN        = 192.168.1.0/24
#   To support dynamic interface : "-j SNAT" replace "-j MASQUERADE" 
#   NO NAT if destination is LAN 
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j SNAT --to-source 123.123.123.123

# New(1) - lo
# -- iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i lo   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT

# -- iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# New(2) Allow inter-192.168.1.x routing
iptables -A INPUT  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
iptables -A FORWARD  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT

# -- allow lan to router traffic - Shadowed by New(2)
# -- This rule maybe your source of trouble too, it only accept 192.168.1.x from eth2
# -- iptables -A INPUT -s 192.168.1.0/24 -i eth2 -j ACCEPT

# ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# vpn
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT

# dns - Shadowed by New(2)
# -- iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
# -- iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT

# logging
iptables -I INPUT 5 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7

# block all other traffic
iptables -A INPUT -j DROP

7,765

Simon

Updated on September 18, 2022

Comments

Simon over 1 year

I’m trying to do the setup of a IPSEC / XL2TPD VPN for our office, and I’m having some problems accessing the remote local machines after connecting to the VPN.

I can connect, and I can browse Internet sites trough the VPN, but as said, I’m unable to connect or even ping the local ones.

My Network setup is something like this:

INTERNET > eth0 > ROUTER / VPN > eth2 > LAN

These are some traceroutes behind the VPN:

traceroute to google.com (173.194.78.94), 64 hops max, 52 byte packets
 1  192.168.1.80 (192.168.1.80)  74.738 ms  71.476 ms  70.123 ms
 2  10.35.192.1 (10.35.192.1)  77.832 ms  77.578 ms  77.865 ms
 3  10.47.243.137 (10.47.243.137)  78.837 ms  85.409 ms  76.032 ms
 4  10.47.242.129 (10.47.242.129)  78.069 ms  80.054 ms  77.778 ms
 5  10.254.4.2 (10.254.4.2)  86.174 ms
    10.254.4.6 (10.254.4.6)  85.687 ms
    10.254.4.2 (10.254.4.2)  85.664 ms

traceroute to 192.168.1.3 (192.168.1.3), 64 hops max, 52 byte packets
 1  * * *
 2  *traceroute: sendto: No route to host
traceroute: wrote 192.168.1.3 52 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote 192.168.1.3 52 chars, ret=-1
 *
traceroute: sendto: Host is down
 3 traceroute: wrote 192.168.1.3 52 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote 192.168.1.3 52 chars, ret=-1

These are my iptables rules:

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# allow lan to router traffic
iptables -A INPUT -s 192.168.1.0/24 -i eth2 -j ACCEPT

# ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# vpn
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT

# dns
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT

iptables -t nat -A POSTROUTING -j MASQUERADE

# logging
iptables -I INPUT 5 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7

# block all other traffic
iptables -A INPUT -j DROP

And here are some firewall log lines:

Dec  6 11:11:57 router kernel: [8725820.003323] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=192.168.1.3 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=62174 PROTO=UDP SPT=61910 DPT=53 LEN=40 
Dec  6 11:12:29 router kernel: [8725852.035826] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=15344 PROTO=UDP SPT=56329 DPT=8612 LEN=24 
Dec  6 11:12:36 router kernel: [8725859.121606] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11767 PROTO=UDP SPT=63962 DPT=8612 LEN=24 
Dec  6 11:12:44 router kernel: [8725866.203656] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11679 PROTO=UDP SPT=57101 DPT=8612 LEN=24 
Dec  6 11:12:51 router kernel: [8725873.285979] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=39165 PROTO=UDP SPT=62625 DPT=8612 LEN=24

I’m pretty sure that the problem should be related with iptables, but after trying a lot of different confs, I was unable to find the right one.

Any help will be greetly appreciated ;). Kind regards, Simon.

EDIT:

This is my route table:

default         62.43.193.33.st 0.0.0.0         UG    100    0        0 eth0
62.43.193.32    *               255.255.255.224 U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth2
192.168.1.81    *               255.255.255.255 UH    0      0        0 ppp0

FINESEC over 11 years

Just a hint: "IN=ppp0" (ppp0 interface)
Simon over 11 years

yeah, I've tried different iptables lines regarding that interface without success... :(

Simon over 11 years

Nop, it does not seem to work, but thanks anyway.
ArrowInTree over 11 years

Ummm, PARTIAL is the operative road. Try hping...?
Simon over 11 years

Hi, I still can't ping the machines in the local network with that config, but the thing is that with my former setup, the vpn client is able to access the dns server in the router.
Simon over 11 years

So, with I have a vpn which can access Internet through it, could access the dns server behind it, but it's unable to ping or access local machines in the local network. For reference, I've tried your lines with some changes (eth2 instead of eth1, but I've tried eth0 too), and 192.168.1.0/24 and 0.0.0.0/24 as the ips (one network each time). And I couldn't make work it with the last line iptables -P FORWARD -j DROP cause it gave me a conflict: iptables v1.4.12: -X requires a chain and a policy.
ArrowInTree over 11 years

There is apparently TWO FORWARD chains. One in Filter and One in mangle. What are their differences? serverfault.com/questions/456308/…
ArrowInTree over 11 years

Umm back to the main quesion. 1) start tcpdump -vvi vpn on the router. 2) I want you to invoke dig or nslookup and SET the server to 8.8.8.8 (google ns) and re-do the nameserver resolution.
ArrowInTree over 11 years

Umm, if your dns server is on your router, then your lan.example.org name resolution SHOULD fail without the iptable --dport 53 entries
Simon over 11 years

Hi and thanks a lot for your help ArrowInTree. First, yes, the dns server is in the same machine as the firewall (local ip 192.168.1.3), and I think you are right and it's not working properly: nslookup google.com ;; connection timed out; no servers could be reached (but I can browse the web without problems). After, changing it to 8.8.8.8 it resolves properly nslookup google.es Server: 80.58.61.250 Address: 80.58.61.250#53 Non-authoritative answer: Name: google.es Address: 173.194.34.56 Name: google.es Address: 173.194.34.55 Name: google.es Address: 173.194.34.63
Simon over 11 years

This is the output of tcpdump: dl.dropbox.com/u/166832/tcpdump.png; and this from dig dl.dropbox.com/u/166832/dig.png. Thanks in advance!
Simon over 11 years

Hi, I achieved to resolve correctly the dns, putting into xl2tpd.conf as local ip, the ip of the router, but still, I'm unnable to ping the machines or access the sites hosted in our lan. I've tried to ping the remote machine 192.168.1.81 from the vpn/router, without success too. It's like the remote machine is using the router but without actually being inside the network...
Simon over 11 years

Hi, and thanks for your help, but it didn't work either. I think that the problem can be related to this comment: serverfault.com/questions/455649/…
John Siu over 11 years

Can you post your ifconfig of your vpn server? Is your vpn server on the same ip network of vpn clients? What is "local ip" and "ip range" of your l2tp.conf?
John Siu over 11 years

Updated l2tpd.conf in answer. Let me know if client can ping vpn server 192.168.1.x ip after the change.
Simon over 11 years

Hi and thanks for the help ;). This is my ifconfig: pastebin.com/ewMftDw3. And this is my xl2tpd.conf file pastebin.com/HB5mtzb7. I've tried to give the vpn clients their own subnetwork but in that case I can't browse internet through the vpn.
ArrowInTree over 11 years

I have done some research into xl2tpd. This is based on Ipv6 IPSEC. It functions one-to-one. I am not sure ipsec will support a ping of a client on the same net. Openvpn is based on ssl and like ipsec is very much like PPP. They are all point-to-point. Inside the encryption, there is no lan only the server destination. OpenVPN might and it has wider support. Try this: forums.openvpn.net/topic10974.html
John Siu over 11 years

I updated with a modified iptables script. Please test ping from client to server by ip.
Simon over 11 years

Thanks for the update John. Pinging from client to the router/dns/vpn server (192.168.1.3) works. Dig and dnslookup works ok from the client. Pinging (or tracerouting) other machines won't work (192.168.1.9 for example). I'm still unable to load webpages hosted on the local machines.
John Siu over 11 years

(1) Ping from vpn client to 192.168.1.9, do you get any error msg from /var/log/syslog? (2) Ping from 192.168.1.3 (router) to 192.168.1.9 works? (3) From vpn server, "wget <lan web server>", do you get the index file correctly?
John Siu over 11 years

Please post your /etc/ppp/options.xl2tpd also.
John Siu over 11 years

Check in your /etc/ppp/options.xl2tpd "proxyarp" is enabled (not comment out).
Simon over 11 years

(1) I've got no immediate errors on syslog, but there are lines like this: Dec 12 22:10:44 ubuntu pppd[19224]: sent [LCP EchoReq id=0xc magic=0x56bae6fd]. (2) Pinging from vpn to 192.168.1.9 works, but (3) the wget fails. In fact, doing a nslookup to a local site, shows an external address instead the local one: nslookup lan.site.com Server: 62.42.230.24 Address: 62.42.230.24#53 Non-authoritative answer: *** Can't find lan.site.com: No answer.
Simon over 11 years

The same nslookup from the client, works fine nslookup lan.site.com Server: 192.168.1.3 Address: 192.168.1.3#53 Name: lan.site.com Address: 192.168.1.9. I think we are close John. Thanks a lot for your help!
John Siu over 11 years

(1) Just want to know for sure, is ping from vpn client to 192.168.1.9 working now? (2) From vpn client or vpn server, does "wget <http server ip>" works? If yes, we fixed iptables problem and the only remaining problem is dns, which is easy to fix.
Simon over 11 years

(1) Ping from the client to 192.168.1.9 fails ping 192.168.1.9 PING 192.168.1.9 (192.168.1.9): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1. Ping from client to 192.168.1.3 (router) works ping 192.168.1.3 PING 192.168.1.3 (192.168.1.3): 56 data bytes 64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=218.310 ms 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=203.736 ms.(2) wget from client fails too wget 192.168.1.9 --2012-12-12 23:27:48-- http://192.168.1.9/ Connecting to 192.168.1.9:80... failed: Host is down. Retrying.
John Siu over 11 years

Have you check /etc/ppp/options.xl2tpd "proxyarp" yet?
Simon over 11 years

yes, it has been there all this time, this is the file: pastebin.com/aDPcdhaK; and this is the ipsec.conf file pastebin.com/p7tCejwE.
John Siu over 11 years

With NO vpn client connected, on the http server , do "nmap -v -sP 192.168.1.0/24". I want to make sure non of the ip in vpn range is being used in your lan. Also make sure your vpn ip range is not overlapping with your lan dhcp range.
Simon over 11 years

This is the result from nmap: pastebin.com/ZjZTfgk2. Our dhcp ip range is: 201 to 254, this is the udhcp.conf file start 192.168.1.201 end 192.168.1.254 interface eth2 opt dns 192.168.1.3 62.42.230.24 option subnet 255.255.255.0 opt router 192.168.1.3 option domain example.org option lease 864000
John Siu over 11 years

I believe we have it this time. Please check NAT section in my iptables.
Simon over 11 years

Hi John, thanks a lot for your help, I've finally got it. I'm afraid to say that probably it wasn't totally related to the iptables, but to a lan overlap problem between the networks. I was testing from a network with the same subnet as the remote network, so when I tried to ping or resolve a remote site, the client actually never exit it's own local network. I've discovered this trying in one of my last desperate tries accessing to the vpn through my phone, and resolving correctly the sites in the office.
John Siu over 11 years

LOL, that is the one question I forget to ask. But you properly still want to use my iptables script instead of your original one, I am almost certain your original script will not work. I actually have to setup a testing vpn here to get the finally one out.
Simon over 11 years

Tomorrow I will move the office network to a distinct subnet, not 192.168... and I think that that will solve most of the problems for the common user. I want to thank you specially for all your help, because if we haven't been trying all these days, I probably would had quitted some time ago. So thanks a lot for your help John!!!
John Siu over 11 years

No problem, I will properly put all this in my blog to remind myself for all the things to check next time.