Routing OpenVPN tunnel in via public interface and out via NAT'd interface (to internet)

iptables openvpn route interface ifconfig

8,701

You have a few steps you will need to do to get this working.

First, you have to setup routes in your config files to direct client traffic over the client adapter.

You can do this either by adding "route" lines to the client config file, or by adding

"--pull"

to the client config and then adding your routes to the server config.

"push route 0.0.0.0 5.5.0.1"
"push route 0.0.0.0 5.5.8.1"

Secondly, you need to configure your iptables to allow incoming packets from the vpn network, and enable masqurade and nat forwarding on the server side.

To enable packet forwarding and Nat

enable packet forwarding in the kernel
```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

enable NAT in iptables

sudo iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

enable forwarding for vpn interfaces

sudo iptables --append FORWARD --in-interface as0t0 -j ACCEPT
sudo iptables --append FORWARD --in-interface as0t1 -j ACCEPT

This is the basic config for the routing side, feel free to comment if you need more detailed help.

8,701

zxdavb

Updated on September 18, 2022

Comments

zxdavb almost 2 years

I hope someone can help...

I want to Configure OpenVPN-AS (i.e. OpenVPN Access Server, NOT OpenVPN) to work on my VPS. The VPS is a KVM running Ubunto 10.04 LTS, with a very vanilla configuration. OpenVPN-AS is likewise installed with only minimal 'flavour'.

The server has two interfaces (both DHCP, eth1 does not have a default gateway configured, but there's one available): - eth0 (a public IP address that IS NOT geolocated in the US), and - eth1 (a private IP address that can NAT via a router that IS geolocated in the US)

Most traffic, including the OpenVPN tunnel (UDP/1194) come in via eth0, but the tunneled clients should go 'out' via eth1, to get the benefit of a US-based IP address. I think there are two separate issues: 1) configuring IP so there's a gateway for tunneled clients to leave via the NAT router 2) configuring OpenVPN-AS so the clients use that gateway for internet access

The file /etc/network/interfaces is a follows:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# The internal (private) network interface
auto eth1
iface eth1 inet dhcp
  up   ip route add default via 172.16.0.254  dev eth1  table 100
  down ip route del default via 172.16.0.254  dev eth1  table 100
  up   ip rule  add        from 172.16.0.0/16 iif eth1 lookup 100
  down ip rule  del        from 172.16.0.0/16 iif eth1 lookup 100
  up   iptables -t nat -A POSTROUTING -s 5.5.0.0/20 -j SNAT --to-source 172.16.191.125
  down iptables -t nat -D POSTROUTING -s 5.5.0.0/20 -j SNAT --to-source 172.16.191.125

The network is as follows:

root@us-tunnel:~# ifconfig | grep -A 1 encap
as0t0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:5.5.0.1  P-t-P:5.5.0.1  Mask:255.255.248.0
--
as0t1     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:5.5.8.1  P-t-P:5.5.8.1  Mask:255.255.248.0
--
eth0      Link encap:Ethernet  HWaddr 00:16:3c:34:01:20
          inet addr:209.141.60.114  Bcast:209.141.60.255  Mask:255.255.255.0
--
eth1      Link encap:Ethernet  HWaddr 00:16:3c:55:84:81
          inet addr:172.16.191.125  Bcast:172.16.255.255  Mask:255.255.0.0
--
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0

The route table is as follows:

root@us-tunnel:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
209.141.60.0    *               255.255.255.0   U     0      0        0 eth0
5.5.0.0         *               255.255.248.0   U     0      0        0 as0t0
5.5.8.0         *               255.255.248.0   U     0      0        0 as0t1
172.16.0.0      *               255.255.0.0     U     0      0        0 eth1
default         209.141.60.1    0.0.0.0         UG    100    0        0 eth0

SmallClanger over 12 years

A few of questions: Why two tunnel adaptors, is this a quirk of AS? Why such odd P-t-P addresses, wouldn't another RFC1918 subnet be best, here? Have you considered the MASQUERADE target instead of SNAT? Finally, I assume all you're looking for is a default route out via eth1 for all traffic arriving on one of the tunnel interfaces?
SuperBOB over 12 years

Inspect the route tables of the VPN clients themselves. Are you pushing the routes to them? (Presumably through OpenVPN-AS)