Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hopefully someone can help with the issue I'm having.
I have a Fedora server at home, which is connected to the internet and two OpenVPNs, one to my own Dedicated Server (centos, 10.10.0.1), and one to my office, no doubt centos too.
Home Server
eth0: internet
eth1: 192.168.0.1
tun0: 10.57.69.62 (work vpn)
tun1: 10.10.0.6 (my vpn)
Dedicated Server
eth0: internet
tun0: 10.10.0.1 (my vpn)
From any machines at home (on 192.168.0.0), I can access machines behind the work VPN since 192.168.0.1 is the default gateway, and the traffic goes right through with no issues.
However, I want to be able to access machines behind my work VPN by connecting to my own VPN (for when I'm away from home).
One 'work' network for example is on 10.64.0.0.
For example, on my Fedora laptop (10.10.0.30), I can't setup a route for 10.64.0.0 to use gw 10.10.0.6...
so instead I've tried routing traffic to my Dedicated Server via 10.10.0.29 (to P-t-P for my laptops VPN), which atleast works with the route command.
I can see the packets getting to my Dedicated Server (with tcpdump), but then once they reach there, I still can't route them back down my own VPN to the 10.10.0.6 client. The same issue as above crops up when trying to use a VPN client as the gateway.
Both servers (the Dedicated and my home one have ip_forward set.
This is really bugging me now, do I need some iptables rules set on the Dedicated Server since the route command won't accept a VPN client as the gateway?
You need to adjust firewall rules on the work side to allow packets from the foreign VPN networks.
Also, just try playing with your route command more. It's terrible in Linux. In windows it works no problem. I've lost hours trying to get the route command to work (and never did - same error as yours).
What you could do is enable masquerade (Natting) on the openvpn interface (tun1 -----NAT----> tun0). That would *work* (i.e. let you access basic web,email and CIFS stuff) but woudn't be proper routing as packets will apperar to come from your home server's IP. So there's no going back (which may be fine..).
ANOTHER idea, it to change your "my vpn" to an openVPN bridge (dev tap0). That would fix all your problems as it would apperar as if you were sitting at home (with a home 192.168.0.x) IP. That would work perfect (which is actually what I did to fix the issues)
Last edited by jonnytabpni; 04-16-2009 at 07:25 AM.
Thanks, I thought it'd be down to some NAT'ing required, but didn't seem to manage it.
Couldn't I just setup the same NAT'ing for any return traffic?
Also, by "return traffic" are we talking about replies from the end point, or new requests coming from my work network trying to reach my laptop - if so, i'm not bothered about that.
For the bridging stuff (new to me), which machine would need to be changed? just my dedicated server ovpn interface? or all the clients?
Also, by "return traffic" are we talking about replies from the end point, or new requests coming from my work network trying to reach my laptop - if so, i'm not bothered about that.
It would be new requests. Replies from the end point would be fine (Just think how a normal NAT router in a house works)
Quote:
For the bridging stuff (new to me), which machine would need to be changed? just my dedicated server ovpn interface? or all the clients?
Both the clients and the server on "MY VPN" would need their config files changed. It's fairly simple - just change from dev tun to dev tap. Change from "server" to "server-bridge". You will also need to set up bridging interfaces on teh server (If it is a linux server is really simple). Go to: http://openvpn.net/index.php/documen...-bridging.html for an excellent howto. I would strongly suggest you go down the bridging route rather than the routed/NAT. Provided you don't have any security implications regarding having remote clients directly on your LAN (The word "bridging" esentially means than any broadcast traffic is "copied" to the remote clients), this would be SO much simplier than firguring out the routed mode.
HTH
Cheers,
Jonny
Last edited by jonnytabpni; 04-16-2009 at 01:50 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.