Saturday, March 19, 2016

networking - OpenVPN running on Internet Gateway, so all private clients can access VPN with no config

Our LAN connects to our office gateway machine (192.168.1.1), which is connected to the Internet.



I have setup NAT/Masquerading for this purpose with no issue.



We also use OpenVPN to connect to our data-centre (the OpenVPN server is in the data-center).



Instead of configuring all internal clients directly, I have made our gateway server a client (10.91.3.102) of the OpenVPN server (10.91.3.1)




Our network speed on the VPN is ridiculous, and I can't figure out what is going missing, where.



It is working, but I'm guessing packets are going missing.



Internet
mode/router - 192.168.0.1



Gateway
eth1 - 192.168.0.2 (to Internet)

eth2 - 192.168.1.1 (to LAN)
tun0 - 10.91.3.102 (to VPN)



LAN
192.168.1.0/24



On the gateway machine...



*nat
:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A POSTROUTING -o tun0 -j SNAT --to-source 10.91.3.102
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.2

COMMIT

*filter
:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# accept everything coming from our LAN (eth2)
-A INPUT -i eth2 -j ACCEPT
# accept everything on the VPN
-A INPUT -i tun0 -j ACCEPT

# reject anything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited

# vpn
-A FORWARD -i eth2 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth2 -j ACCEPT

# allow traffic to flow between the Internet (eth1) and our LAN (eth2)
-A FORWARD -i eth2 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT


-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...