OpenVPN Implementation II - Host-to-site VPN solution - Part 5

4. Routing Setup(Access Local LAN Resource)
The purpose of having user access VPN is to access resources in the local LAN, including server etc. To achieve this, we provided you with two methods here.
It's important to validate iptables using iptable -nvxL to make sure that "REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited " not shown in the output,
[root@NyVpnC01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11945
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited <<<<===== need to remove
if it does.. you will need to edit the iptables at /etc/sysconfigure/iptables to remove or comment out "#-A FORWARD -j REJECT --reject-with icmp-host-prohibited"
[root@NyVpnC01 ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 11945 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited <<<<===== need to remove
COMMIT
~
~
~
"/etc/sysconfig/iptables" 14L, 517C written
[root@NyVpnC01 ~]# /etc/init.d/iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@NyVpnC01 ~]# /etc/init.d/iptables restart
iptables: Applying firewall rules: [ OK ]
[root@NyVpnC01 ~]#
[root@NyVpnC01 ~]#
[root@NyVpnC01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11945
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Method one - Adding default gateway of OpenVPN server internal interface to Internal Server.
 
1. Here we started ICMP ping to internal server AppservL01 from our client1, returned host unreachable.
2. Run "route add -net 10.8.0.0/24 gw 192.168.110.10" from LAN server AppServL01:
- net 10.8.0.0/24 is return destination.
gw 192.168.110.10 is OpenVPN server eth0 internal LAN interface IP
Verify routing table with route -n.
[root@AppServL01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.110.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth2
[root@AppServL01 ~]# route add -net 10.8.0.0/24 gw 192.168.110.10
[root@AppServL01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 192.168.110.10 255.255.255.0 UG 0 0 0 eth2
192.168.110.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth2
3. Now you can see the ping window shown respond.
Now from from AppServL01 tcpdump output also shown route successfully set up. (tcpdump -nnn -s 10000 |grep -i icmp)
17:42:34.842566 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 21377, length 40
17:42:34.842586 IP 192.168.110.11 > 10.8.0.6: ICMP echo reply, id 1, seq 21377, length 40
17:42:35.857207 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 21378, length 40
17:42:35.857229 IP 192.168.110.11 > 10.8.0.6: ICMP echo reply, id 1, seq 21378, length 40
17:42:36.870498 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 21379, length 40
17:42:36.870517 IP 192.168.110.11 > 10.8.0.6: ICMP echo reply, id 1, seq 21379, length 40
17:42:37.885030 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 21380, length 40
17:42:37.885050 IP 192.168.110.11 > 10.8.0.6: ICMP echo reply, id 1, seq 21380, length 40
17:42:38.898759 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 21381, length 40
17:42:38.898780 IP 192.168.110.11 > 10.8.0.6: ICMP echo reply, id 1, seq 21381, length 40
17:42:39.913166 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 21382, length 40
17:42:39.913188 IP 192.168.110.11 > 10.8.0.6: ICMP echo reply, id 1, seq 21382, length 40
Note: if after the change, ping still report unreachable, you should run " /etc/init.d/iptables stop" from Openvpn to stop the Iptables.
 
Method Two - Add Specific NAT Statement (masquerade)
The other way to enable routing to internal server resource is to add specific NAT statement using below command:
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.110.10
 
eth0 : internal server ip interface
--to-source 192.168.110.10 : internal server interface IP
1. Run "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.110.10" or you can instead run "iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE"
 
[root@VpnL01 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.110.10
2. to validate using iptables -t nat -n -L
[root@VpnL01 openvpn]# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:192.168.110.10
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@VpnL01 openvpn]#
Below captured tcpdump output from internal Server AppServL01, you can see at 18:36:05.004301, the NAT setting taken effect.
8:35:50.012041 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 24371, length 40
18:35:55.003716 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 24372, length 40
18:36:00.011641 IP 10.8.0.6 > 192.168.110.11: ICMP echo request, id 1, seq 24373, length 40
18:36:05.004301 IP 192.168.110.10 > 192.168.110.11: ICMP echo request, id 1, seq 24374, length 40 <<<<<
18:36:05.004542 IP 192.168.110.11 > 192.168.110.10: ICMP echo reply, id 1, seq 24374, length 40
18:36:06.002016 IP 192.168.110.10 > 192.168.110.11: ICMP echo request, id 1, seq 24375, length 40
18:36:06.002039 IP 192.168.110.11 > 192.168.110.10: ICMP echo reply, id 1, seq 24375, length 40
18:36:07.015859 IP 192.168.110.10 > 192.168.110.11: ICMP echo request, id 1, seq 24376, length 40
 

Please publish modules in offcanvas position.