TyIzaeL
October 15th, 2012, 01:21 PM
I've been working on setting up an OpenVPN server to do some testing. What I'm trying to do is set up a routed VPN between my LAN (172.28.0.0/16)The problem I'm having is the server isn't routing traffic between the interfaces. For example, if I ping the server's eth0 interface from tun0 (ping -I tun0 172.28.4.16), I don't get any responses. Here is a network diagram:
http://i.imgur.com/l8Uj3.png
I'm using UFW as my firewall. I've edited /etc/ufw/sysctl.conf as such to allow IP forwarding.
net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
I've also edited /etc/default/ufw to allow IP forwarding.
IPV6=no
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="ACCEPT"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
eth0 is configured to be promiscuous.
root@VPN:~# ip a sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:15:5d:02:18:14 brd ff:ff:ff:ff:ff:ff
inet 172.28.4.16/16 brd 172.28.255.255 scope global eth0
inet6 fe80::215:5dff:fe02:1814/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 172.29.0.1 peer 172.29.0.2/32 scope global tun0
Here are my current UFW rules.
root@VPN:~# ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW 172.28.0.0/16
OpenVPN ALLOW Anywhere
OpenSSH ALLOW 172.29.0.0/22
In /etc/ufw/before.rules I have configured NAT.
#Custom NAT rules start here.
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.29.0.0/22 -o eth0 -j MASQUERADE
COMMIT
#Custom NAT rules end here.
#Beyond this point is nothing but default UFW config.
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
COMMIT
Is there some step I am missing? What am I doing wrong here?
http://i.imgur.com/l8Uj3.png
I'm using UFW as my firewall. I've edited /etc/ufw/sysctl.conf as such to allow IP forwarding.
net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
I've also edited /etc/default/ufw to allow IP forwarding.
IPV6=no
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="ACCEPT"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
eth0 is configured to be promiscuous.
root@VPN:~# ip a sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:15:5d:02:18:14 brd ff:ff:ff:ff:ff:ff
inet 172.28.4.16/16 brd 172.28.255.255 scope global eth0
inet6 fe80::215:5dff:fe02:1814/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 172.29.0.1 peer 172.29.0.2/32 scope global tun0
Here are my current UFW rules.
root@VPN:~# ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW 172.28.0.0/16
OpenVPN ALLOW Anywhere
OpenSSH ALLOW 172.29.0.0/22
In /etc/ufw/before.rules I have configured NAT.
#Custom NAT rules start here.
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.29.0.0/22 -o eth0 -j MASQUERADE
COMMIT
#Custom NAT rules end here.
#Beyond this point is nothing but default UFW config.
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
COMMIT
Is there some step I am missing? What am I doing wrong here?