Trouble with a vpn gateway (vpnc)

johnboy00 · 04-30-2012, 01:40 PM

I'm have a little ALIX box at home running voyagelinux that uses vpnc to establish a vpn connection to my employer's network. I use this as a vpn gateway, if you will, for an IP phone to connect to a phone server at work. It looks something like this:

employer
+
internet
+
cable modem
+
router (pfsense)
(192.168.1.1)
+
(192.168.1.99)
vpn gateway
(192.168.0.1)
+
(192.168.0.2)
ip phone (nortel)

The IP phone is the only device behind the vpn gateway. I want everything coming in on the vpn tunnel to be forwarded to the phone, and everything coming from the phone routed through the tunnel, so I have vpnc run the following script when the vpn connection is established:

Code:

#!/bin/sh

PHONE="192.168.0.2"

echo 1 > /proc/sys/net/ipv4/ip_forward

# vpnc makes the necessary routing change, so no need to do it here

/sbin/iptables --flush
/sbin/iptables --table nat --flush

/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT

# IFNAME is the vpn tunnel device (usually tun0)
/sbin/iptables --table nat --append POSTROUTING \
   --out-interface ${IFNAME} --jump MASQUERADE

/sbin/iptables --table nat \
  --insert PREROUTING \
  --in-interface ${IFNAME} \
  --jump DNAT \
  --to ${PHONE}

This setup works most of the time, but occasionally I'll lose audio from the other end of the call. They can still hear me, however, which leads me to believe that I'm doing something wrong or missed something above. I want the phone to function as if it's directly on my employer's network, with as little nat as possible. How do I do that the right way?

johnboy00 · 04-30-2012, 04:16 PM

I suppose I can simplify my question(s) this way:

If I have a tunnel tun0, what's the simplest/best way to have all traffic coming in over tun0 forwarded to $IP and all traffic from $IP routed to tun0?

Thanks...

Skaperen · 05-01-2012, 09:33 AM

Are you trying to "route" all packets to another router? Or trying to forward specific connections to specific ports? If all you want to do is reach a specific server, forwarding connections to its port is all you need to do. Or do you also want this so you can access the internet as coming from the employer network?

johnboy00 · 05-01-2012, 06:10 PM

Thanks for the reply. I want the phone to behave as if it's directly on my employer's network, or as close to that as I can get. My vpn gateway establishes the connection to my employer, creating tun0. I then want all data coming in on tun0 to go to the phone, and all data going out from the phone to go to tun0. The phone is the only device behind my vpn gateway.

This is what I've settled on thus far, and it works for the most part:

Code:

iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination ${PHONE}
iptables -t nat -A POSTROUTING -o tun0 -s ${PHONE} -j MASQUERADE

The default rules on INPUT, OUTPUT, and FORWARD are ACCEPT (this gateway not directly exposed to internet). Does this look about right? Should I be using SNAT instead of MASQUERADE? If I did use SNAT, would I use the IP address assigned to tun0, or some other IP address?

Skaperen · 05-01-2012, 08:37 PM

I'm going to have to back out of this because I don't know enough about the protocol involved to understand what it is doing. But it may just be a stalled tunnel.

johnboy00 · 05-02-2012, 12:08 AM

Can a tunnel stall in just one direction? Anyway, I'm now using SNAT to the tunnel IP address on the POSTROUTING rule, instead of MASQUERADE. It's been working fine for the past 5 hours, but I won't know for a day or three if it's a long-term fix.

johnboy00 · 05-14-2012, 03:52 PM

So that others attempting to do the same may benefit, here's what I ended up with. It works very well, and if while on a call the connection is dropped and then restored (I have a watchdog script check every few seconds), the call automagically resumes.

Code:

#!/bin/sh
# ip-up

PHONEIP=192.168.0.2
TUNIP=`ip -4 -o addr show ${IFNAME} | awk '{ print $4 }' | cut -d/ -f1`

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables --flush
/sbin/iptables --table nat --flush

/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -i ${IFNAME} -j DNAT --to-destination ${PHONEIP}
iptables -t nat -A POSTROUTING -o ${IFNAME} -s ${PHONEIP} -j SNAT --to ${TUNIP}