0

I have a openvpn subnet 10.8.0.0/24 running one server and one client (laptop). openvpn works fine. Browsing the web over openvpn from the laptop works also fine.

Now on the server there is a private subnet with 10.7.8.128/28. The subnet is set up with racoon (IPSEC s2s vpn). The s2s vpn allows me to access the subnet 10.3.5.0/24 at the other s2s vpn end. Works all fine when I'm connected with ssh to my server.

From my laptop i can ping 10.7.8.129 (the servers ipsec local ip) but i cannot reach the net 10.3.5.0/24.

I tried to add a static route on my laptop 10.3.5.0/24 over gw 10.7.8.129 with no success.

Any ideas how i do setup the nat / routing?

Thanks

Jonas Schnelli
  • 113
  • 4

1 Answers1

1

Most likely, the 10.3.5.0/24 network doesn't know who you are and how to get to you.

You need to add the route for 10.8.0.0/24 with gateway 10.7.8.129 to the router for the 10.3.5.0/24 network. You may also need to add an IPSEC rule to encrypt traffic destined for 10.8.0.0/24.

Additional routes may also be required, depending on your network topology.

cjc
  • 24,916
  • 3
  • 51
  • 70
  • Is there no way without changing 10.3.5.0/24? Nat or something? I would like that the laptop operates as it would be the server. There are also free ip's on 10.7.8.128/28 (.130, .131, etc.). Anyhow possible? – Jonas Schnelli Apr 03 '12 at 11:06
  • Yes, you can configure your OpenVPN server to NAT traffic from 10.8.0.0/24 so that it looks like it's coming from its own IP address. That would obviate the need for routes. Something like `/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.7.8.129` assuming eth0 is the interface for 10.7.8.129. – cjc Apr 03 '12 at 11:16
  • You're not trying to bypass your network administrators, are you? – cjc Apr 03 '12 at 11:20
  • No. I just try to access a IP behind S2S VPN over remote laptop vpn. – Jonas Schnelli Apr 03 '12 at 12:21
  • Hmm.. the iptable rule works. But now all my traffic goes to 10.7.8.129. So browsing the web is no longer possible. How can i tell iptables to just NAT traffic to 10.3.5.0/24? (THANKS by the way!) – Jonas Schnelli Apr 03 '12 at 12:32
  • Add a "-d 10.3.5.0/24" to specify the destination. – cjc Apr 03 '12 at 12:36
  • Last question. :) : it seams to collide with the rule `sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE` (normal openvpn nat). How can i combine those? When i have the MASQUERADE set, then the 10.3.5.0 net is not reachable, when i use your iptable rule, than the web is not accessable? – Jonas Schnelli Apr 03 '12 at 12:59
  • http://brokestream.com/iptables.html So the MASQUERADE and SNAT rules are basically equivalent (MASQ is an older, less flexible form). You can get rid of the MASQ rule if the only forwarded traffic is your VPN. – cjc Apr 03 '12 at 13:09