[LARTC] Problem with VPN routing from internal network + tun0 and traffic shaping

Rimas rmocius@auste.elnet.lt
Fri, 8 Oct 2004 16:11:01 +0100 

Hi Peter,

I already tried to give the IP from the same network for my tunnel, but 
OpenVPN 2.0b11 just blocks
after that access to firewall via internal IP.
So I gave the different IP space.

My setup is here
Server:

ifconfig
The OpenVPN goes via this Wireless line
eth0      Link encap:Ethernet  HWaddr 00:10:5A:A3:9B:58
          inet addr:1.2.3.4  Bcast:x.x.x.x  Mask:255.255.255.248

Second ADSL line
eth1      Link encap:Ethernet  HWaddr 00:50:DA:3C:D9:7B
          inet addr:2.2.3.4  Bcast:x.x.x.x  Mask:255.255.255.0

Local net
eth2      Link encap:Ethernet  HWaddr 00:04:76:23:43:36
          inet addr:10.105.105.199  Bcast:10.105.105.255  Mask:255.255.255.0

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.10.1  P-t-P:10.10.10.2  Mask:255.255.255.255

Routing table
10.10.10.2      *               255.255.255.255 UH    0      0        0 tun0
2.2.3.x    *               255.255.255.255 UH    0      0        0 eth1
1.2.3.x   *               255.255.255.248 U     0      0        0 eth0
2.2.3.x    *               255.255.255.0   U     0      0        0 eth1
10.10.10.0      10.10.10.2      255.255.255.0   UG    0      0        0 tun0
10.105.105.0    *               255.255.255.0   U     0      0        0 eth2
10.1.1.0        10.10.10.2      255.255.255.0   UG    0      0        0 tun0
loopback        *               255.0.0.0       U     0      0        0 lo
default         2.2.3.x    0.0.0.0         UG    0      0        0 eth1


Client:
ifconfig
# ADSL connection
eth0      Link encap:Ethernet  HWaddr 00:0A:5E:42:9E:88
          inet addr:192.168.0.129  Bcast:192.168.0.255  Mask:255.255.255.0

# Local net
eth1      Link encap:Ethernet  HWaddr 00:0A:5E:48:0A:E3
          inet addr:10.1.1.199  Bcast:10.1.1.255  Mask:255.255.255.0

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.10.6  P-t-P:10.10.10.5  Mask:255.255.255.255

Routing table
10.10.10.5      *               255.255.255.255 UH    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
10.10.10.0      10.10.10.5      255.255.255.0   UG    0      0        0 tun0
10.105.105.0    10.10.10.5      255.255.255.0   UG    0      0        0 tun0
10.1.1.0        *               255.255.255.0   U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    1      0        0 eth0

Iptables rule
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o tun0 -j SNAT --to-source 
10.10.10.6

So the client configuration works fine for me, but how to make access client 
local net from server and server local net?

Thanks

Remus


----- Original Message ----- 
From: "Peter Huetmannsberger" <huetmann@site38.ping.at>
To: <lartc@mailman.ds9a.nl>
Sent: Friday, October 08, 2004 3:28 PM
Subject: Re: [LARTC] Problem with VPN routing from internal network + tun0 
and traffic shaping


>
>
> OK. I didn't know you wanted to NAT the traffic. If you have the default
> gw on your client-net set to the client-gw AND you forward the traffic,
> i.e. set your ip_forward to 1 AND you allow that in your iptables, there
> is no need to NAT the traffic at all. (If you have a static route set to
> your server-net via the tunnel)
>
> I have a similar setup and all I do is:
>
> excerpt from `route -n`
> 192.168.42.1  0.0.0.0      255.255.255.255 UH  0  0   0 tun0
> 192.168.42.0  192.168.42.1 255.255.255.0  UG 0   0    0 tun0
>
> Which means the fw fins 192.168.42.1 by looking through the tunnel, and
> the whole network by looking at the far end of the tunnel.
>
> On the other side it is the exact the same way, except of course turned
> around.
>
> I saved myself the trouble of having an extra net fo rthe tunnel, I just
> gave the tun0 device the same ipaddress as the internal (i.e. the client)
> network. so it actually looks like this:
>
> 192.168.42.0/24 ---192.168.42.1 ---tunnel---192.168.1.101--192.168.1.0/24
>
> This setup has worked very well for me for years, if you see anything
> wrong with it let me know, I am willing to learn.
>
> As long as packets get forwarded on both gateways there is no need to NAT.
>
>
> I can ping any machine from either network, and have samba working for all
> those clients, so it must be reasonable.
>
>
> As for traffic shaping, I would do the shaping on the internal interface
> (the one pointing to your network behind the fw), there you have control
> of incoming traffic via htb (as the traffic going to the clients is
> outgoing).
>
> I hope all of this is correct.
>
> Good luck,
>
> .peter
>
>
> On Fri, 8 Oct 2004, Remus wrote:
>
>> You are correct Peter.
>> But that is not enough to have access from client local lan to serevr 
>> client
>> local lan.
>> The line below helpped me to fix it:
>> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j 
>> SNAT --to-source
>> 10.0.0.2
>>
>> So there is one more problem, how to access from the server local net
>> client's local net?
>> Any ideas?
>>
>> And how to shape traffic going via tun0?
>>
>> At the moment I have htb on eth0 and imq0 to shape in and out traffic?
>> But what about VPN traffic which goes via tun0?
>>
>> Thanks
>>
>> Remus
>>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>