Author Topic: OpenVPN Bridge  (Read 4806 times)

Squeaner

  • Guest
OpenVPN Bridge
« on: November 29, 2009, 06:38:16 am »
Is it possible to create a bridge when the OpenVPN client from a Windows machine connects to Ebox?

Eth0: (Public)
  IP: 207.75.#.#
  Subnet: 255.255.255.0
Eth1: (Private)
  IP: 172.14.0.3
  Subnet: 255.255.0.0

VPN Network:
  Network: 172.14.30.0
  Subnet: 255.255.255.0

VPN Advertised Network:
  172.14.0.0/16

Here's what I would like to do:

I want to be able to connect with the OpenVPN client, and be able to access any machine on the Private and Public network with the one connection.

If that is not possible, I am willing to setup two VPN connections, one for public and one for private.

Both the Private Network and the Public Network are on the same VLAN with no routers between.

I have found from a previous post to use:
"sudo iptables -t nat -I POSTROUTING -s 172.14.30.0/24 -o eth1 -j MASQUERADE"

http://forum.ebox-platform.com/index.php?topic=189.0
and
http://forum.eboxplatform.com/index.php?topic=244.0

Using that above command allows ICMP and/or Ping packets to work, but I still cannot access the web server at "172.14.0.1" on port 80 or RDP at "172.14.0.4" on port 3389.

Any help is appreciated.

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: OpenVPN Bridge
« Reply #1 on: November 30, 2009, 05:52:16 pm »
Have you tried to advertise both networks in the server?.

Squeaner

  • Guest
Re: OpenVPN Bridge
« Reply #2 on: December 01, 2009, 11:43:38 pm »
I've added several IP's on the Public network into the VPN as Advertised Networks and those all work as expected.  I can connect to them over any port without restriction by the VPN.

The issue now is that I can't connect to 172.14.0.1:80 or 172.14.0.3:80 or any other device over port 80.  Another device I have 172.14.0.4:3389 which works just fine.

1. Any suggestions towards a fix for this?
2. Is it better to run the VPN using TCP or UDP?

Thanks for your help...

Squeaner

  • Guest
Re: OpenVPN Bridge
« Reply #3 on: December 04, 2009, 05:59:16 am »
Ok, I finally got things working after some thorough testing.

I thought port 80 was still open on 172.14.0.1, but it has been officially closed.

After I figured that part out, then I had to troubleshoot why Port 80 on 172.14.0.3 being the Internal Address of Ebox was not allowing communication to the outside world via the VPN.  I then figured out the Firewall was dropping it's packet.  So I added a rule for External to Ebox for Http traffic from "172.16.30.0/24".  This cured the problem of not having access to Port 80 over the VPN.

Here's the latest details on my setup.

Eth0: (Public)
  IP: 207.75.#.#
  Subnet: 255.255.255.0
Eth1: (Private)
  IP: 172.14.0.3
  Subnet: 255.255.0.0

VPN Network:
  Network: 172.16.30.0
  Subnet: 255.255.255.0

VPN Advertised Network:
  172.14.0.0/16
  ... (Public IP's hidden for confidential reasons)

Note: Do not advertise the VPN network or the network your Ebox Public IP Address is assigned to.

Server Setup:
TCP 1194


-------------------------------------------------------------------------------
Firewall:

Filtering rules from internal networks to eBox:
  Allow Any http
  Allow Any dhcp
  Allow Any ssh
  Allow Any administration

Filtering rules for internal networks
  Allow Any Any Any

Filtering rules for traffic coming out from eBox
  Allow Any Any

Filtering rules from external networks to eBox
  Allow 172.16.30/24 http
  Allow Any VPN
  ... (Additonal rules confidential)

Filtering rules from external networks to internal networks
  Allow Any Any Any
-------------------------------------------------------------------------------

After any change to the Firewall I run:
  sudo iptables -t nat -I POSTROUTING -s 172.16.30.0/24 -o eth1 -j MASQUERADE

I would like it to be applied to the "Iptables.mas" file, but I've tried:
  "pf '-t nat -I POSTROUTING -s 172.16.30.0/24 -o eth1 -j MASQUERADE';"

I've had no success thus for with the statement above.

BTW: My setup is not an OpenVPN Bridge, it is actually OpenVPN Routing.

That is the last piece to my puzzle and then I'm good to go.

Thanks for everyone's previous posts and help towards this situation.
« Last Edit: December 04, 2009, 06:01:03 am by Squeaner »

sixstone

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1417
  • Karma: +26/-0
    • View Profile
    • Sixstone's blog
Re: OpenVPN Bridge
« Reply #4 on: December 05, 2009, 02:43:53 am »
Hello Squeaner,


After any change to the Firewall I run:
  sudo iptables -t nat -I POSTROUTING -s 172.16.30.0/24 -o eth1 -j MASQUERADE

You may use the firewall hook in /etc/ebox/hooks/firewall.postservice to add this rule after firewall module is restarted.

Thanks for such a detail configuration explanation.

Cheers,
My secret is my silence...

Squeaner

  • Guest
Re: OpenVPN Bridge
« Reply #5 on: December 05, 2009, 04:19:13 am »
I finally have the VPN up and running completely :)

Thanks so much.

kockopes

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +2/-0
    • View Profile
Re: OpenVPN Bridge
« Reply #6 on: May 05, 2014, 02:37:16 pm »
i need to setup zentyal openvpn as bridge, Advertised networks isnt optimal solution,
we need to use main dhcp server and just bridged vpn clients, mac vpn clients to lan  mac server...

another reason is that windows user has no rights to add route via openvpn client :/