Openvpn

This post is a reminder to my brain who lately likes to forget basic things such an iptable rule to allow VPN clients to access internal LAN.

Yes, this afternoon I spent almost an hour and a half to try to figure out what went wrong with my newly installed openvpn. I was unable to access the LAN behind the server and I literally spent 90 minutes looking in the wrong place because my brain betrayed me and I completely forgot about adding a MASQUERADE rule to my firewall.

In my defense, I had problems with the installation, dependency problems and something close to the DLL hell that Windows has. This situation tricked me a lot because I assumed   this was the cause but when I decided to tcpdump the requests I saw the following:

[bash]

# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
17:27:38.136712 IP 10.8.0.6 > 192.168.0.1: ICMP echo request, id 30234, seq 1, length 64
17:27:39.137333 IP 10.8.0.6 > 192.168.0.1: ICMP echo request, id 30234, seq 2, length 64

[/bash]

What! direct ping from tun to an IP visible only from eth0? Then I realized that I missed the:

[bash]

# iptables -t nat -A POSTROUTING -j MASQUERADE

[/bash]

Voila!

[bash]

# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes

17:39:55.968160 IP 10.8.0.6 > 192.168.0.1: ICMP echo request, id 30234, seq 738, length 64

17:39:55.968757 IP 192.168.0.1 > 10.8.0.6: ICMP echo reply, id 30234, seq 738, length 64

[/bash]

I must have installed openvpn at least 4 times before today, but still wasn’t enough to remember the right thing at the right moment. Won’t happen again, hopefully :D.

Leave a Reply

Your email address will not be published. Required fields are marked *