OpenVPN Server routing between multiple interfaces
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
eth0 (VPN Server):
172.31.4.115 (route for client1)
172.31.10.54 (route for client2)
172.31.14.166 (route for client3)
eth1 (VPN Server):
172.31.15.5 (route for client4)
172.31.7.18 (route for client5)
...
I am using IP tables and SNAT to forward the traffic based on source IP (client) to the specific IP in the OpenVPN server.
This works without any problems for client1,client2,client3 where the destionation interface is eth0.
For client4,client5 where the destination interface is eth1 I am unable to route the traffic or even ping the IP.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 172.31.0.1 0.0.0.0 UG 10001 0 0 eth1
0.0.0.0 172.31.0.1 0.0.0.0 UG 10002 0 0 eth2
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth2
from client4 and client5 i can ping 172.31.4.115,172.31.14.177,172.31.10.54 but I am not able to ping 172.31.15.5 which is on eth1...
What am I missing? I tried for 3 days now and cannot get it working. I would like to avoid setting up bridging...
I think it has something to do with the routes. Any advise?
UPDATE:
I did some more research and enabled logging for iptables. for pings to ips belonging to eth0 I get the logs
Sorry if I'm on the wrong track here. I use OpenVPN extensively in a production network I manage (connecting to remote sites) but NAT is not employed as part of that solution.
Thanks for your reply. As far as for my understanding the push routes will only be sent to the client to update the routing table.
Since I was doing a ping 172.31.15.5 -I tun0 directely to the VPN I think I do not need that route (at least for testing)
I am a step further now, previously I was not getting iptable logging for 172.31.15.5 on eth1. It turned out, that this was an issue with RHEL (Amazon Linux): https://access.redhat.com/solutions/53031
after setting net.ipv4.conf.all.rp_filter to 2 i was able to see the logging in itables. But still I was not able to ping it. I think now I am missing some iptables forwarding rules to receive the packages that I have sent to that eth1 interface
I might be missing something, but what does this even have to do with the vpn service if the clients and the vpn server are on the same network?
This seems to be solely a routing problem, nothing to do with vpn, does it?
Sorry, if my answer was not that clear. 10.0.0.x are the IPs of the VPN tunnel.
The VPN Server itself hast multiple network interfaces with multiple IPs each:
so routing between the VPN clients and to all IPs on eth0 works, its just the seconde network interface eth1 that is not reachable from anywhere (expect from the server itself)
For a specific reason each client needs to have a separate public IP address. On the other hand there is a limitation in AWS cloud of having 3 IP addresses for each network interface, therefore I needed to add additional network interface.
You're trying to achieve interconnectivity between the clients only, if I understand this correctly, right? If that's the case, may I ask why you're using NAT at all? Why not simply forwarding?
I have interconnectivity between the VPN clients. Each client within 10.8.0.x can reach each other. But thats just due to the fact that I enabled IPv4 forwarding with "echo 1 > /proc/sys/net/ipv4/ip_forward". I would even restrict this with iptables deny rules because this is not needed at all. But since I am still trying to solve my main problem I did not apply any deny rules so far.
I think the image attached to my original post is still the best way to understand what should be achieved.
client1 VPN IP 10.8.0.2 should connect through the servers private IP 172.31.4.115 to the internet
client2 VPN IP 10.8.0.3 should connect through the servers private IP 172.31.10.54 to the internet
client3 VPN IP 10.8.0.4 should connect through the servers private IP 172.31.14.166 to the internet
this works as expected, but all clients that should use servers private IP located on the second network interface (eth1) will fail:
client4 VPN IP 10.8.0.5 should connect through the servers private IP 172.31.15.5 to the internet
...
I am not 100% sure, but I think beside of the ipv4 forwarding, in order to route the internet traffic through the servers private IP I still need some kind of SNAT, DNAT or MASQUERADE. And to be clear this solution works for client1,2,3 but not for 4,5....
I'm not ill-meant, but I have to say - this is actually the first time you've actually stated what you're trying to achieve.
This "I am using IP tables and SNAT to forward the traffic based on source IP (client) to the specific IP in the OpenVPN server." is misleading.
So you simply want to have internet access for the clients. Indeed, then you need SNAT (to specify the exact ip you want to use as a source ip when reaching the internet) or MASQUERADE (the os computes automatically what ip it should use, which is usually the default one).
You normally use DNAT when you want to access network resources directly from outside. So I'm not sure what you're trying to achieve by that there. Maybe you can explain your intention?
This means anyone who tries to connect to ip destination 172.31.4.115 and port 22 will be redirected to ip 10.8.0.2 and port 22.
So that basically translates into: if you want to connect to the ssh port on the openvpn server (on the ip 172.31.4.115) you're going to be redirect to the client1's ip and ssh port. That doesn't seem to make much sense to me at first glance.
One more thing, what's this ip "172.31.14.177"? You haven't mentioned it anywhere.
Yes you are absolutely right with all your assumptions
Quote:
This means anyone who tries to connect to ip destination 172.31.4.115 and port 22 will be redirected to ip 10.8.0.2.
So that basically translates into: if you want to connect to the ssh port on the openvpn server (on the ip 172.31.4.115) you're going to be redirect to the client1's ip and ssh port. That doesn't seem to make much sense to me at first glance.
Yes that's correct, and same applies for port 80 and 44158. To be clear, I know that exposing port 22 to the public is not a good idea but there is a firewall restricting access to port 22 only to specific IPs (in front of the server)
Quote:
One more thing, what's this ip "172.31.14.177"? You haven't mentioned it anywhere.
well paid attention, this was just a typo from me. 172.31.14.177 is the correct one (mentioned as 172.31.14.166) in my previous post
Ok, I see. I still don't really understand where the problem lies. Maybe you can create a logging rule for client4's ip (you haven't shown the snat rule corresponding to client5's traffic, but I'm guessing it's the same) before you do the actual SNAT.
(you have to choose the correct rule number. You can see that exactly with iptables -t nat -vnL POSTROUTING --line-numbers, but you probably already know that)
I see the gateway is 172.31.0.1.
What IP on the server belong to the same subnet as the gateway?
(ip route show and ip address show are more legible )
later edit: only later did I see the output of 'ip address show'.
What I also find weird is that you all assigned IPs on various interfaces belong to the same subnet. You normally have different interfaces belonging to different subnets. I think this might screw up your routing, but I still don't understand exactly how.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.