Author Topic: OpenVPN network bridge iptables command  (Read 4653 times)

eDRoaCH

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
OpenVPN network bridge iptables command
« on: May 20, 2008, 11:44:50 pm »
I have set up an OpenVPN road warior for my laptop and connect just fine. However it does not seem to be bridging networks. I have the internal network added to the vpn config and even added the VPN one. I can ping the gateway on the vpn (192.168.6.1) but thats where it stops.

I found http://forum.eboxplatform.com/index.php?topic=244.0 which details Javi's sudo "iptables -t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE" However I would like a bit more info on it.

I take it the 10.10.2.0/24 is the vpn's network address. However I am not sure what he has eth1 set up as in this example.


Internal 192.168.7.0/24 Eth0
vpn 192.168.6.0/24
External DHCP Eth3

Is this needed for all implementations or only sometimes? If only sometimes, any idea why?

As a side benefit, any way to easily turn this tunnel into a full web proxy so I can get around the work firewall? Ideally I would want to turn it on and off on the client side at will (through proxy settings) for when I do not want it.

eDRoaCH

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: OpenVPN network bridge iptables command
« Reply #1 on: May 21, 2008, 08:55:47 pm »
Been playing around trying to get it to work and searching the forum. I ended up adding:
sudo iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o eth0 -j MASQUERADE
but still no fix.

I do seem to be getting some routing errors here. near the bottom. I pasted the whole thing for completenes' sake.

Code: [Select]
Wed May 21 11:49:19 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed May 21 11:49:19 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed May 21 11:49:19 2008 LZO compression initialized
Wed May 21 11:49:19 2008 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed May 21 11:49:19 2008 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed May 21 11:49:19 2008 Local Options hash (VER=V4): '31fdf004'
Wed May 21 11:49:19 2008 Expected Remote Options hash (VER=V4): '3e6d1056'
Wed May 21 11:49:19 2008 Attempting to establish TCP connection with 70.187.138.227:1194
Wed May 21 11:49:19 2008 TCP connection established with 70.187.138.:):1194
Wed May 21 11:49:19 2008 TCPv4_CLIENT link local: [undef]
Wed May 21 11:49:19 2008 TCPv4_CLIENT link remote: 70.187.138.:):1194
Wed May 21 11:49:19 2008 TLS: Initial packet from 70.187.138. :):1194, sid=d68e6e33 07d0a5e1
Wed May 21 11:49:20 2008 VERIFY OK: depth=1, /C=ES/ST=Nation/L=Nowhere/O=edamamebeans/CN=Certification_Authority_Certificate
Wed May 21 11:49:20 2008 VERIFY X509NAME OK: /C=ES/ST=Nation/L=Nowhere/O=edamamebeans/CN=Etna2
Wed May 21 11:49:20 2008 VERIFY OK: depth=0, /C=ES/ST=Nation/L=Nowhere/O=edamamebeans/CN=Etna2
Wed May 21 11:49:21 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed May 21 11:49:21 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 21 11:49:21 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed May 21 11:49:21 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 21 11:49:21 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed May 21 11:49:21 2008 [Etna2] Peer Connection Initiated with 70.187.138.:):1194
Wed May 21 11:49:22 2008 SENT CONTROL [Etna2]: 'PUSH_REQUEST' (status=1)
Wed May 21 11:49:22 2008 PUSH: Received control message: 'PUSH_REPLY,route 192.168.6.0 255.255.255.0,route 192.168.7.0 255.255.255.0,route-gateway 192.168.6.1,ping 10,ping-restart 120,ifconfig 192.168.6.2 255.255.255.0'
Wed May 21 11:49:22 2008 OPTIONS IMPORT: timers and/or timeouts modified
Wed May 21 11:49:22 2008 OPTIONS IMPORT: --ifconfig/up options modified
Wed May 21 11:49:22 2008 OPTIONS IMPORT: route options modified
Wed May 21 11:49:22 2008 TAP-WIN32 device [OpenVPNTap] opened: \\.\Global\{C1EF1253-3883-4C26-B2FD-1E9FE7E732BE}.tap
Wed May 21 11:49:22 2008 TAP-Win32 Driver Version 8.4
Wed May 21 11:49:22 2008 TAP-Win32 MTU=1500
Wed May 21 11:49:22 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.6.2/255.255.255.0 on interface {C1EF1253-3883-4C26-B2FD-1E9FE7E732BE} [DHCP-serv: 192.168.6.0, lease-time: 31536000]
Wed May 21 11:49:22 2008 NOTE: FlushIpNetTable failed on interface [13] {C1EF1253-3883-4C26-B2FD-1E9FE7E732BE} (status=5) : Access is denied. 
Wed May 21 11:49:22 2008 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed May 21 11:49:22 2008 route ADD 192.168.6.0 MASK 255.255.255.0 192.168.6.1
Wed May 21 11:49:22 2008 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=13]
Wed May 21 11:49:22 2008 Route addition via IPAPI failed
Wed May 21 11:49:22 2008 route ADD 192.168.7.0 MASK 255.255.255.0 192.168.6.1
Wed May 21 11:49:22 2008 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=13]
Wed May 21 11:49:22 2008 Route addition via IPAPI failed
Wed May 21 11:49:22 2008 Initialization Sequence Completed

As you can see, my IP address is very happy :) also I am running vista here, so for extra testing i ran the openvpn GUI as administrator, same results

Update:
Remoting into my home pc over logmein.com, I CAN ping 192.168.6.1 (vpn gateway) but not the laptop. This is a step beyond what the remote system can do, as the remote system cannot ping 192.168.7.1 (the home gateway)

Update2:
I notice that the properties of the adapter do not show any default gateway or dns servers. attempting to set them manually doesnt seem to have any effect.
Code: [Select]
Ethernet adapter OpenVPNTap:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Win32 Adapter V8
   Physical Address. . . . . . . . . : 00-FF-C1-EF-12-53
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::207b:d5b0:5cff:a3e9%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.6.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, May 21, 2008 12:34:58 PM
   Lease Expires . . . . . . . . . . : Thursday, May 21, 2009 12:35:01 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.6.0
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
« Last Edit: May 21, 2008, 09:39:12 pm by eDRoaCH »

eDRoaCH

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: OpenVPN network bridge iptables command
« Reply #2 on: May 21, 2008, 10:09:44 pm »
SUCCESS!!!

I should have mentioned I was using Vista...
I found http://skriptd.wordpress.com/2007/07/12/openvpn-gui-on-windows-vista/

The skinny of it is only the latest developmetn build of OpenVPN will be able to add routes on Vista.

Still no DNS (ideas??) and I am still interested how I could potentially make the vpn the default gateway on the client side. Sadly I cant find any good resources on all the options available in the OpenVPN client config file.

However I can ping and connect via IP, so I am glad I use reserved dhcp!

I would love to get the DNS and default route going, or at least a link to a good faq on the client config file. Hopefully this will prove useful to anyone with Vista clients in the future!