Join Log in
Score:0
Francesco avatar Server

OpenVPN and IPTABLES - How to assign lan (vpn) gateway to clients

cn flag
Francesco

I am trying to set up my openvpn network but I have a problem.

My LAN configuration is as follows:

  • main router Zyxel 192.168.1.1 acting as gateway (vdsl connection) and access point;
  • openwrt router TD-W8970 192.168.1.2 acting as access point and vpn server (10.212.79.1)

What I want to do is to create a VPN network with clients that must send internet requests only through my LAN gateway (192.168.1.1); in other words, I want that the clients public IP shown on internet is the one of my LAN gateway (192.168.1.1) and not the one assigned to them by their ISP.

Here below my openvpn configuration.

server.conf

user nobody
group nogroup
dev tun
port 1194
proto udp
server 10.212.79.0
255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
verb 3
push "persist-tun"
push "persist-key"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.1.0 255.255.255.0"
ca /etc/easy-rsa/pki/ca.crt
cert /etc/easy-rsa/pki/issued/server.crt
key /etc/easy-rsa/pki/private/server.key
dh /etc/easy-rsa/pki/dh.pem
tls-auth /etc/easy-rsa/pki/ta.key 0

client.conf

dev tun
proto udp
remote myserver_xyz.com 1194 udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

The openvpn network is established correctly and the client 10.212.79.2 is able to ping vpn server 10.212.79.1 and navigate in Internet.

The problem is that the public client IP shown on Internet is the one assigned by its ISP and not the one of the LAN gateway (192.168.1.1) where the vpn server (192.168.1.2 / 10.212.79.1) is located.

I tried to perform some changes in server configuration but with no success.

I also tried to put push "redirect-gateway def1" or push "redirect-gateway autolocal" but in this cases the client stopped to navigate in internet at all.

If it is not an openvpn issue, is it an issue related to the correct configuration of IPTABLES?

Can you please help me?

Thanks in advance :)

203
0 + 0
vpn
Score:0
Frédéric Loyer avatar Server
bd flag
Frédéric Loyer

If I have understood your needs, the IP packets of your client should be sent to the client router, then through Internet in a tunnel, to the server router, then back to the Internet.

redirect-gateway def1 seems adequate, but to be sure, it would be better to show us the route ip output on all nodes (client PC, client router, server router). These outputs would make us sure the different route tables are correct. https://openvpn.net/community-resources/how-to/ proposes a local flag depending of your exact configuration.

A masquerading command shoud be put on the VPN server, typically on the server router : iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE where eth0 is the external device (the closest to the Internet). See https://linuxhacks.org/what-is-ip-masquerade-and-how-to-rule-it-with-iptables/ or https://bobcares.com/blog/iptables-nat-masquerade/ You also have to enable forwarding (see these articles).

0 + 0
Francesco avatar
cn flag
Francesco
First of all thank you for support. I solved in this way. In openvpn server.conf: push "redirect-gateway def1". In the OpenWRT router hosting the openvpn server: sysctl net.ipv4.ip_forward=1, iptables -I FORWARD -j ACCEPT, iptables -t nat -I POSTROUTING -s 10.212.79.0/24 -o br-lan -j MASQUERADE. I also deleted from server.conf: push "dhcp-option DNS 8.8.8.8", push "dhcp-option DNS 8.8.4.4", push "route 192.168.1.0 255.255.255.0". Now I am wondering if I can achieve the same result without using iptables but only using specific openvpn configuration on server and client.
0
Reply
Frédéric Loyer avatar
bd flag
Frédéric Loyer
If your configuration has 2 networks with the same prefix (192.168.1.0/24), I guess the masquerading is mandatory. This avoids that one packet from one of these networks comes on the second unchanged which would imply routing issues (the destination network believes the packet is from a neighbour and not from the other side of the VPN). I can't insist more. Then keep the masquerading, or change one of the 192.168.1.0 by lets's say a 192.168.2.0.
0
Reply
Francesco avatar
cn flag
Francesco
I have no control on client network configuration because the client connects to my vpn from a public network (hotel, LTE dongle, ...). What I can do to avoid routing problems is to change IP configuration in the server lan, avoiding the common 192.168.x.x and preferring something in the middle of 10.x.x.x, lowering the possibility of IP conflicts with the client network. In this case (server lan and client lan with different IP configuration), is it possible to achieve the same result without using iptables but only setting server.conf and client.conf properly?
0
Reply
Frédéric Loyer avatar
bd flag
Frédéric Loyer
With a single client this would work. With two clients which have the same 192.16.1.0 address range, masquerading is needed. Note that there is the 193.168.1.0 route announcement which should appear somewhere. And you still need a masquerading between all your private addresses and Internet, but I suppose it is done elsewhere.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.