-1

I have been successful in setting up two OpenVPN servers as follows:

  1. Ubuntu1 (LAN IP: 172.23.6.148 WAN IP: 60.242.175.132)
  2. Ubuntu2 (LAN IP: 172.23.6.149 WAN IP: 60.242.175.133)

Clients connecting to both servers can access my two LAN subnets (172.23.6.0/24 and 172.23.7.0/24). However, those connecting to Ubuntu2 cannot access the internet. Below are the routing tables from both servers:

KERNEL ROUTING TABLE FROM UBUNTU1 (172.23.6.148)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.23.6.120    0.0.0.0         UG    0      0        0 br0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.9.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tinc0
172.23.6.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
172.23.7.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
207.187.53.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

KERNEL ROUTING TABLE FROM UBUNTU2 (172.23.6.149)

root@ubuntu2:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         50.242.184.134  0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.9.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tinc0
50.242.184.128  0.0.0.0         255.255.255.248 U     0      0        0 eth0
172.23.6.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
172.23.7.0      172.23.6.1      255.255.255.0   UG    0      0        0 br0
207.187.53.0    172.23.6.1      255.255.255.0   UG    0      0        0 br0

Please note that I have full control of the gateway for Ubuntu2 but not for Ubuntu1 (3rd party managed). What do I need to do to get internet traffic for clients connecting to Ubuntu2? I'm ready and willing to provide any additional information as requested, thanks.

EDIT #1:

Below is what I've added to my firewall rules (in /etc/ufw/before.rules just before the *filter line):

# START OPENVPN RULES

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from OpenVPN client to br0
-A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
COMMIT

# END OPENVPN RULES
Kismet Agbasi
  • 323
  • 1
  • 4
  • 17
  • You seem to have an IP conflict. You seem to have specfied the same subnet (`10.8.0.0/24`) for the VPN on both servers. BTW what does your firewall rules look like? I assume you must have a MASQ/SNAT rule in there, but does that rule cover the VPN networks? – Zoredache Oct 31 '14 at 22:03
  • Thanks for the observation. I noticed those two entries as well, but that seems to be by design. Each time I stop the OpenVPN server, they disappear. When I restart, they appear - and it happens on both servers - so I'm inclined to believe it's by design. Also, I've edited my question to show the firewall rule I added in order to masquerade the vpn traffic. – Kismet Agbasi Nov 01 '14 at 00:49

2 Answers2

1

Based on the accepted answer to this question, I changed my firewall rule to SNAT instead of MASQUERADE and it worked:

-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 60.242.175.133

I added this rule to the /etc/ufw/before.rules file. I did note, however, that if I included "iptables" in the line, UFW failed to reload. Anyway, my clients connecting to Ubuntu2 now can get internet access. Thanks to all who offered suggestions, I really appreciate the help.

Community
  • 1
Kismet Agbasi
  • 323
  • 1
  • 4
  • 17
0

you are Masquerading / natting 10.8.0.0/24, however the requests are most likely coming from 172.23 subnet - its impossible to say for certain however without more details.

You should try natting 172.23.0.0/16 and see if that solves your problem.

davidgo
  • 6,222
  • 3
  • 23
  • 41
  • Thanks David, but I tried that and it didn't make a difference. I have found a solution and I'll be posting it shortly as an answer. Really appreciate the help. – Kismet Agbasi Nov 01 '14 at 11:21