Re: [Openvpn-users] OpenVPN and NIC with multiple IP Addresses

Tue, 25 Jul 2023 02:11:27 -0700 

On 25.07.23 09:54, Jason Long via Openvpn-users wrote:

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
enp0s3:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 10.0.5.20  netmask 255.255.255.0  broadcast 10.0.5.255



... so you have several distinct subnets attached to the same physical 
interface ...



I added these iptables rules:


# IF_MAIN=enp0s3:0
# IF_TUNNEL=tun2
# YOUR_OPENVPN_SUBNET=10.10.0.0/16
# iptables -I INPUT -p udp --dport 1196 -j ACCEPT
# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state 
ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT
# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j 
MASQUERADE
# iptables -A FORWARD -i enp0s8 -o enp0s3:0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i enp0s3:0 -o enp0s8 -j ACCEPT
# iptables -A FORWARD -j LOG
# iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE



I don't see a FORWARD rule specifically permitting clients' traffic to 
the Internet (-i $IF_TUNNEL -o $IF_MAIN), but then again, we don't see 
the FORWARD chain's policy, either.



The rules seem to assume that Internet traffic *will* go out $IF_MAIN 
and not enp0s3. Please verify that (been a while since I had a similar 
setup, so I'm not sure whether you'd have to look at the server's 
routing table(s) or something else ...).



Is the server willing to do forwarding *at all* on the relevant 
interface(s) (e.g., 'echo 1 >/proc/sys/net/ipv4/conf/all/forwarding')?



C:\>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.


Ping statistics for 8.8.8.8:
     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),



So, what does your "-j LOG" in the FORWARD chain have to say about the 
fate of the ECHO REQUEST packets? What is your reverse path filtering 
set to (/proc/sys/net/ipv4/conf/*/rp_filter), any hint in the syslogs 
that "martians" got discarded (before ever being treated by iptables)? 
Are you familiar enough with tcpdump or Wireshark to go hunt for what 
packets go where during the pinging?



... oh, I almost forgot: What does the client have to say about its 
routing table, once the VPN is up? Do the ECHO REQUESTs actually ever go 
through the VPN in the first place?


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to