Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
i have following situation. I have 2 servers with public IP and i created IPsec site-to-site VPN. On 2nd server i am running OpenVPN server. How can i force 1st server that packets destined for OpenVPN are forced into the ipsec tunnel? IPsec is configured in transport mode.
You are too misty in your explanations. Thus you will hardly get good advice. Bring more details on your network setup. The best way is the image, of course, but addresses and routes could be enough too.
I have 2 servers with a public IP. There is site-to-site VPN created between them (transport mode , openswan). Lets say 1st server is front end, 2nd server is back end. On 2nd server openvpn is installed. I want to use 1st server as indeterminate server for Openvpn meaning when i "dial" VPN on TCP port 443 on 1st server, request is routed trough the tunnel to actual VPN server where vpn connection will be established. VPN access on backend server will be denied for all traffic except the one coming from the IPsec tunnel.
Thanks for answer. But how i can force that traffic trough site-to-site tunnel? With DNAT (as far as i know and i am not linux guru) i can only tell to forward traffic to back end IP which in the end is not pushing that traffic trough the tunnel to the destination server and also i am dealing here with public IP addresses only, for DNAT i would have to use private addresses.
>for DNAT i would have to use private addresses.
Not really. DNAT (as well as SNAT) is just replacing ip packet destination address by certain rules. You can easily change one public address by another one.
Also, you said you have VPN tunnel already up between front-end and back-end. So you have private network between these servers (with private addresses).
Just DNAT traffic that comes to port 443 on front-end public address into port 443 of backend VPN address(not public). Of course there will be routing and NAT caveats, but for start it is good at least reach backend VPN server. Hope I understood your problem correctly.
The thing is i don't have private address on front end or back end server so when you actually create general DNAT rule traffic goes directly to the destination IP (public IP) without going trough the tunnel.
Yes, sorry. I'm not familiar with VPN in transport mode.
So you need something like mirroring.
1) Packet from client arrives to front-end port 443;
2) You perform DNAT in prerouting and change packet dst address from front-end's to back-end's;
3) Front-end makes routing decision;
4) Because now packet destination address is address of your back-end, packet has to be sent through VPN tunnel in this case;
5) On postrouting you have to change packet source address to front-end's address so back-end will not send response to client directly;
6) Packet is arriving to back-end, back-end sends response with destination address of front-end (through VPN again) and source address of back-end
7) Response packet arriving to front-end;
8) Connection tracker (conntrack) performs reverse translation of dst and src addresses for both DNAT and SNAT;
But this is the theory. I doubt if packets with modified external ip header (#5) will be considered as valid at #6 as well as in #4 true.
Well, the easiest way to check is to capture the traffic on backend server. I cannot say definitely how traffic passed through tunnel distinguish from traffic passed from other world, but I suspect there should be VPN trailers (ESP/AH?) in it.
I am pretty sure i can configure destination server to accept traffic on VPN ports only where source is ESP so when i block accessing those ports from Internet i still did not tell the traffic to use the tunnel instead.
Did you make sure that in the server that also runs the OpenVPN ip forwarding enabled (otherwise it will act as a router forward any packets)?
if not just type "sysctl -w net.ipv4.ip_forward=1" and it should do it.
I'm not sure you have to use iptables at al in this case, since implementations like openswan know how to route packets between two private subnets
It will help if you could provide your ipsec configuration file
I also have an example for how to configure openswan with l2tp (l2tp is different from OpenVPN but the server and IPSec configuration should be the same) here it is