How to access remote lan machines through a ipsec / xl2ptd vpn (maybe iptables related)
You are very likely having the exact same issue as this post
Your situation is as follow:
VPN client can reach VPN server and tunnel through VPN to the internet, but cannot reach server LAN nor any other VPN clients ip.
Tunneling to the internet work because you have iptables NAT rule. The rest you need to apply the following ON THE VPN SERVER:
Enable tcp/ip forwarding
Linux TCP/IP stack by default does not forward packets (either between interfaces or re-routing them between IP network). It has to be enabled
echo 1 > /proc/sys/net/ipv4/ip_forward
Without that, VPN server will accept VPN client packet locally, and route client packet according to NAT rule, but will not route traffic to local network.
Iptables
Iptables block all traffic by default. You need rules to allow traffic to get through(forward).
$IPTABLES -A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
PS: Each vpn connection is an individual(virtual) interface(nic), to allow packet to flow/route between them, you need FORWARD in iptables.
/etc/l2tpd.conf
When vpn client need to talk to each together, the vpn server is acting as a routing point and need to be on the same netowrk.
local ip 192.168.1.1
ip range 192.168.1.2 - 192.168.1.254
Modify the above according to your network setup. If your vpn server has a 192.168.1.x ip, use it for the "local ip".
Modified Iptables script
Be very careful if you don't have physical access to the vpn server.
(This script will need anti-spoofing on the wan interface, but lets focus on getting traffic from vpn to lan 1st.)
# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# NAT
# -- iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
#
# Updated NAT rule
# External interface = eth0
# External IP = 123.123.123.123
# Internal LAN = 192.168.1.0/24
# To support dynamic interface : "-j SNAT" replace "-j MASQUERADE"
# NO NAT if destination is LAN
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j SNAT --to-source 123.123.123.123
# New(1) - lo
# -- iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
# -- iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# New(2) Allow inter-192.168.1.x routing
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
# -- allow lan to router traffic - Shadowed by New(2)
# -- This rule maybe your source of trouble too, it only accept 192.168.1.x from eth2
# -- iptables -A INPUT -s 192.168.1.0/24 -i eth2 -j ACCEPT
# ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# vpn
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT
# dns - Shadowed by New(2)
# -- iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
# -- iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT
# logging
iptables -I INPUT 5 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7
# block all other traffic
iptables -A INPUT -j DROP
Related videos on Youtube
Simon
Updated on September 18, 2022Comments
-
Simon over 1 year
I’m trying to do the setup of a IPSEC / XL2TPD VPN for our office, and I’m having some problems accessing the remote local machines after connecting to the VPN.
I can connect, and I can browse Internet sites trough the VPN, but as said, I’m unable to connect or even ping the local ones.
My Network setup is something like this:
INTERNET > eth0 > ROUTER / VPN > eth2 > LAN
These are some traceroutes behind the VPN:
traceroute to google.com (173.194.78.94), 64 hops max, 52 byte packets 1 192.168.1.80 (192.168.1.80) 74.738 ms 71.476 ms 70.123 ms 2 10.35.192.1 (10.35.192.1) 77.832 ms 77.578 ms 77.865 ms 3 10.47.243.137 (10.47.243.137) 78.837 ms 85.409 ms 76.032 ms 4 10.47.242.129 (10.47.242.129) 78.069 ms 80.054 ms 77.778 ms 5 10.254.4.2 (10.254.4.2) 86.174 ms 10.254.4.6 (10.254.4.6) 85.687 ms 10.254.4.2 (10.254.4.2) 85.664 ms traceroute to 192.168.1.3 (192.168.1.3), 64 hops max, 52 byte packets 1 * * * 2 *traceroute: sendto: No route to host traceroute: wrote 192.168.1.3 52 chars, ret=-1 *traceroute: sendto: Host is down traceroute: wrote 192.168.1.3 52 chars, ret=-1 * traceroute: sendto: Host is down 3 traceroute: wrote 192.168.1.3 52 chars, ret=-1 *traceroute: sendto: Host is down traceroute: wrote 192.168.1.3 52 chars, ret=-1
These are my iptables rules:
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # allow lan to router traffic iptables -A INPUT -s 192.168.1.0/24 -i eth2 -j ACCEPT # ssh iptables -A INPUT -p tcp --dport ssh -j ACCEPT # vpn iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p ah -j ACCEPT iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -A INPUT -p udp --dport 1701 -j ACCEPT # dns iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT iptables -t nat -A POSTROUTING -j MASQUERADE # logging iptables -I INPUT 5 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7 # block all other traffic iptables -A INPUT -j DROP
And here are some firewall log lines:
Dec 6 11:11:57 router kernel: [8725820.003323] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=192.168.1.3 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=62174 PROTO=UDP SPT=61910 DPT=53 LEN=40 Dec 6 11:12:29 router kernel: [8725852.035826] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=15344 PROTO=UDP SPT=56329 DPT=8612 LEN=24 Dec 6 11:12:36 router kernel: [8725859.121606] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11767 PROTO=UDP SPT=63962 DPT=8612 LEN=24 Dec 6 11:12:44 router kernel: [8725866.203656] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11679 PROTO=UDP SPT=57101 DPT=8612 LEN=24 Dec 6 11:12:51 router kernel: [8725873.285979] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=39165 PROTO=UDP SPT=62625 DPT=8612 LEN=24
I’m pretty sure that the problem should be related with iptables, but after trying a lot of different confs, I was unable to find the right one.
Any help will be greetly appreciated ;). Kind regards, Simon.
EDIT:
This is my route table:
default 62.43.193.33.st 0.0.0.0 UG 100 0 0 eth0 62.43.193.32 * 255.255.255.224 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2 192.168.1.81 * 255.255.255.255 UH 0 0 0 ppp0
-
FINESEC over 11 yearsJust a hint: "IN=ppp0" (ppp0 interface)
-
Simon over 11 yearsyeah, I've tried different iptables lines regarding that interface without success... :(
-
-
Simon over 11 yearsNop, it does not seem to work, but thanks anyway.
-
ArrowInTree over 11 yearsUmmm, PARTIAL is the operative road. Try hping...?
-
Simon over 11 yearsHi, I still can't ping the machines in the local network with that config, but the thing is that with my former setup, the vpn client is able to access the dns server in the router.
-
Simon over 11 yearsSo, with I have a vpn which can access Internet through it, could access the dns server behind it, but it's unable to ping or access local machines in the local network. For reference, I've tried your lines with some changes (eth2 instead of eth1, but I've tried eth0 too), and 192.168.1.0/24 and 0.0.0.0/24 as the ips (one network each time). And I couldn't make work it with the last line
iptables -P FORWARD -j DROP
cause it gave me a conflict:iptables v1.4.12: -X requires a chain and a policy
. -
ArrowInTree over 11 yearsThere is apparently TWO FORWARD chains. One in Filter and One in mangle. What are their differences? serverfault.com/questions/456308/…
-
ArrowInTree over 11 yearsUmm back to the main quesion. 1) start tcpdump -vvi vpn on the router. 2) I want you to invoke dig or nslookup and SET the server to 8.8.8.8 (google ns) and re-do the nameserver resolution.
-
ArrowInTree over 11 yearsUmm, if your dns server is on your router, then your lan.example.org name resolution SHOULD fail without the iptable --dport 53 entries
-
Simon over 11 yearsHi and thanks a lot for your help ArrowInTree. First, yes, the dns server is in the same machine as the firewall (local ip 192.168.1.3), and I think you are right and it's not working properly:
nslookup google.com ;; connection timed out; no servers could be reached
(but I can browse the web without problems). After, changing it to 8.8.8.8 it resolves properlynslookup google.es Server: 80.58.61.250 Address: 80.58.61.250#53 Non-authoritative answer: Name: google.es Address: 173.194.34.56 Name: google.es Address: 173.194.34.55 Name: google.es Address: 173.194.34.63
-
Simon over 11 yearsThis is the output of tcpdump: dl.dropbox.com/u/166832/tcpdump.png; and this from dig dl.dropbox.com/u/166832/dig.png. Thanks in advance!
-
Simon over 11 yearsHi, I achieved to resolve correctly the dns, putting into xl2tpd.conf as local ip, the ip of the router, but still, I'm unnable to ping the machines or access the sites hosted in our lan. I've tried to ping the remote machine 192.168.1.81 from the vpn/router, without success too. It's like the remote machine is using the router but without actually being inside the network...
-
Simon over 11 yearsHi, and thanks for your help, but it didn't work either. I think that the problem can be related to this comment: serverfault.com/questions/455649/…
-
John Siu over 11 yearsCan you post your ifconfig of your vpn server? Is your vpn server on the same ip network of vpn clients? What is "local ip" and "ip range" of your l2tp.conf?
-
John Siu over 11 yearsUpdated l2tpd.conf in answer. Let me know if client can ping vpn server 192.168.1.x ip after the change.
-
Simon over 11 yearsHi and thanks for the help ;). This is my ifconfig: pastebin.com/ewMftDw3. And this is my xl2tpd.conf file pastebin.com/HB5mtzb7. I've tried to give the vpn clients their own subnetwork but in that case I can't browse internet through the vpn.
-
ArrowInTree over 11 yearsI have done some research into xl2tpd. This is based on Ipv6 IPSEC. It functions one-to-one. I am not sure ipsec will support a ping of a client on the same net. Openvpn is based on ssl and like ipsec is very much like PPP. They are all point-to-point. Inside the encryption, there is no lan only the server destination. OpenVPN might and it has wider support. Try this: forums.openvpn.net/topic10974.html
-
John Siu over 11 yearsI updated with a modified iptables script. Please test ping from client to server by ip.
-
Simon over 11 yearsThanks for the update John. Pinging from client to the router/dns/vpn server (192.168.1.3) works. Dig and dnslookup works ok from the client. Pinging (or tracerouting) other machines won't work (192.168.1.9 for example). I'm still unable to load webpages hosted on the local machines.
-
John Siu over 11 years(1) Ping from vpn client to 192.168.1.9, do you get any error msg from /var/log/syslog? (2) Ping from 192.168.1.3 (router) to 192.168.1.9 works? (3) From vpn server, "wget <lan web server>", do you get the index file correctly?
-
John Siu over 11 yearsPlease post your /etc/ppp/options.xl2tpd also.
-
John Siu over 11 yearsCheck in your /etc/ppp/options.xl2tpd "proxyarp" is enabled (not comment out).
-
Simon over 11 years(1) I've got no immediate errors on syslog, but there are lines like this:
Dec 12 22:10:44 ubuntu pppd[19224]: sent [LCP EchoReq id=0xc magic=0x56bae6fd]
. (2) Pinging from vpn to 192.168.1.9 works, but (3) the wget fails. In fact, doing a nslookup to a local site, shows an external address instead the local one:nslookup lan.site.com Server: 62.42.230.24 Address: 62.42.230.24#53 Non-authoritative answer: *** Can't find lan.site.com: No answer
. -
Simon over 11 yearsThe same nslookup from the client, works fine
nslookup lan.site.com Server: 192.168.1.3 Address: 192.168.1.3#53 Name: lan.site.com Address: 192.168.1.9
. I think we are close John. Thanks a lot for your help! -
John Siu over 11 years(1) Just want to know for sure, is ping from vpn client to 192.168.1.9 working now? (2) From vpn client or vpn server, does "wget <http server ip>" works? If yes, we fixed iptables problem and the only remaining problem is dns, which is easy to fix.
-
Simon over 11 years(1) Ping from the client to 192.168.1.9 fails
ping 192.168.1.9 PING 192.168.1.9 (192.168.1.9): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1
. Ping from client to 192.168.1.3 (router) worksping 192.168.1.3 PING 192.168.1.3 (192.168.1.3): 56 data bytes 64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=218.310 ms 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=203.736 ms
.(2) wget from client fails toowget 192.168.1.9 --2012-12-12 23:27:48-- http://192.168.1.9/ Connecting to 192.168.1.9:80... failed: Host is down. Retrying.
-
John Siu over 11 yearsHave you check /etc/ppp/options.xl2tpd "proxyarp" yet?
-
Simon over 11 yearsyes, it has been there all this time, this is the file: pastebin.com/aDPcdhaK; and this is the ipsec.conf file pastebin.com/p7tCejwE.
-
John Siu over 11 yearsWith NO vpn client connected, on the http server , do "nmap -v -sP 192.168.1.0/24". I want to make sure non of the ip in vpn range is being used in your lan. Also make sure your vpn ip range is not overlapping with your lan dhcp range.
-
Simon over 11 yearsThis is the result from nmap: pastebin.com/ZjZTfgk2. Our dhcp ip range is: 201 to 254, this is the udhcp.conf file
start 192.168.1.201 end 192.168.1.254 interface eth2 opt dns 192.168.1.3 62.42.230.24 option subnet 255.255.255.0 opt router 192.168.1.3 option domain example.org option lease 864000
-
John Siu over 11 yearsI believe we have it this time. Please check NAT section in my iptables.
-
Simon over 11 yearsHi John, thanks a lot for your help, I've finally got it. I'm afraid to say that probably it wasn't totally related to the iptables, but to a lan overlap problem between the networks. I was testing from a network with the same subnet as the remote network, so when I tried to ping or resolve a remote site, the client actually never exit it's own local network. I've discovered this trying in one of my last desperate tries accessing to the vpn through my phone, and resolving correctly the sites in the office.
-
John Siu over 11 yearsLOL, that is the one question I forget to ask. But you properly still want to use my iptables script instead of your original one, I am almost certain your original script will not work. I actually have to setup a testing vpn here to get the finally one out.
-
Simon over 11 yearsTomorrow I will move the office network to a distinct subnet, not 192.168... and I think that that will solve most of the problems for the common user. I want to thank you specially for all your help, because if we haven't been trying all these days, I probably would had quitted some time ago. So thanks a lot for your help John!!!
-
John Siu over 11 yearsNo problem, I will properly put all this in my blog to remind myself for all the things to check next time.