From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Rimas" Date: Fri, 08 Oct 2004 15:11:01 +0000 Subject: Re: [LARTC] Problem with VPN routing from internal network + tun0 and traffic shaping Message-Id: <025801c4ad49$06190f60$6e69690a@RIMAS> List-Id: References: <014301c4ad26$82e206f0$6e69690a@RIMAS> In-Reply-To: <014301c4ad26$82e206f0$6e69690a@RIMAS> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi Peter, I already tried to give the IP from the same network for my tunnel, but OpenVPN 2.0b11 just blocks after that access to firewall via internal IP. So I gave the different IP space. My setup is here Server: ifconfig The OpenVPN goes via this Wireless line eth0 Link encap:Ethernet HWaddr 00:10:5A:A3:9B:58 inet addr:1.2.3.4 Bcast:x.x.x.x Mask:255.255.255.248 Second ADSL line eth1 Link encap:Ethernet HWaddr 00:50:DA:3C:D9:7B inet addr:2.2.3.4 Bcast:x.x.x.x Mask:255.255.255.0 Local net eth2 Link encap:Ethernet HWaddr 00:04:76:23:43:36 inet addr:10.105.105.199 Bcast:10.105.105.255 Mask:255.255.255.0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.2 Mask:255.255.255.255 Routing table 10.10.10.2 * 255.255.255.255 UH 0 0 0 tun0 2.2.3.x * 255.255.255.255 UH 0 0 0 eth1 1.2.3.x * 255.255.255.248 U 0 0 0 eth0 2.2.3.x * 255.255.255.0 U 0 0 0 eth1 10.10.10.0 10.10.10.2 255.255.255.0 UG 0 0 0 tun0 10.105.105.0 * 255.255.255.0 U 0 0 0 eth2 10.1.1.0 10.10.10.2 255.255.255.0 UG 0 0 0 tun0 loopback * 255.0.0.0 U 0 0 0 lo default 2.2.3.x 0.0.0.0 UG 0 0 0 eth1 Client: ifconfig # ADSL connection eth0 Link encap:Ethernet HWaddr 00:0A:5E:42:9E:88 inet addr:192.168.0.129 Bcast:192.168.0.255 Mask:255.255.255.0 # Local net eth1 Link encap:Ethernet HWaddr 00:0A:5E:48:0A:E3 inet addr:10.1.1.199 Bcast:10.1.1.255 Mask:255.255.255.0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.10.6 P-t-P:10.10.10.5 Mask:255.255.255.255 Routing table 10.10.10.5 * 255.255.255.255 UH 0 0 0 tun0 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 10.10.10.0 10.10.10.5 255.255.255.0 UG 0 0 0 tun0 10.105.105.0 10.10.10.5 255.255.255.0 UG 0 0 0 tun0 10.1.1.0 * 255.255.255.0 U 0 0 0 eth1 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.0.1 0.0.0.0 UG 1 0 0 eth0 Iptables rule iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o tun0 -j SNAT --to-source 10.10.10.6 So the client configuration works fine for me, but how to make access client local net from server and server local net? Thanks Remus ----- Original Message ----- From: "Peter Huetmannsberger" To: Sent: Friday, October 08, 2004 3:28 PM Subject: Re: [LARTC] Problem with VPN routing from internal network + tun0 and traffic shaping > > > OK. I didn't know you wanted to NAT the traffic. If you have the default > gw on your client-net set to the client-gw AND you forward the traffic, > i.e. set your ip_forward to 1 AND you allow that in your iptables, there > is no need to NAT the traffic at all. (If you have a static route set to > your server-net via the tunnel) > > I have a similar setup and all I do is: > > excerpt from `route -n` > 192.168.42.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 > 192.168.42.0 192.168.42.1 255.255.255.0 UG 0 0 0 tun0 > > Which means the fw fins 192.168.42.1 by looking through the tunnel, and > the whole network by looking at the far end of the tunnel. > > On the other side it is the exact the same way, except of course turned > around. > > I saved myself the trouble of having an extra net fo rthe tunnel, I just > gave the tun0 device the same ipaddress as the internal (i.e. the client) > network. so it actually looks like this: > > 192.168.42.0/24 ---192.168.42.1 ---tunnel---192.168.1.101--192.168.1.0/24 > > This setup has worked very well for me for years, if you see anything > wrong with it let me know, I am willing to learn. > > As long as packets get forwarded on both gateways there is no need to NAT. > > > I can ping any machine from either network, and have samba working for all > those clients, so it must be reasonable. > > > As for traffic shaping, I would do the shaping on the internal interface > (the one pointing to your network behind the fw), there you have control > of incoming traffic via htb (as the traffic going to the clients is > outgoing). > > I hope all of this is correct. > > Good luck, > > .peter > > > On Fri, 8 Oct 2004, Remus wrote: > >> You are correct Peter. >> But that is not enough to have access from client local lan to serevr >> client >> local lan. >> The line below helpped me to fix it: >> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j >> SNAT --to-source >> 10.0.0.2 >> >> So there is one more problem, how to access from the server local net >> client's local net? >> Any ideas? >> >> And how to shape traffic going via tun0? >> >> At the moment I have htb on eth0 and imq0 to shape in and out traffic? >> But what about VPN traffic which goes via tun0? >> >> Thanks >> >> Remus >> > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/