The officially official Devuan Forum!

You are not logged in.

#26 2018-06-18 22:23:08

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: openvpn server and client on same box

ralph.ronnquist wrote:

That's a good set of rules for doing no filtering at all, yes smile

If you don't mind, rather dump the output if iptables-save, just to confirm all the tables. Basically, you shouldn't need any iptables rules, except the masquerading of the outbound traffic on tunY. That one is necessary to allow packets with original source from IP 10.8.x.0/24 (i.e., your server-vpn clients) or 192.168.y.0/24 (your wlanX neighbors), as well as allowing packets from 192.168.x.0/24 (your ethX neighbors) to be forwarded and masqueraded through tunY.

Agreed. He'll likely need a couple of additional rules to route selected internet traffic (communication with his internal VPN server) over eth0 though. At least that's the best idea i have to actually have replies (those packet's will have a non local destination) to packet's that reach his VPN server ever eth0 exit there again while having a default route that points towards tunY

Last edited by devuser (2018-06-18 22:27:20)

Offline

#27 2018-06-18 22:49:09

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,251  

Re: openvpn server and client on same box

mmm ... all 192.168.x.0/24 (ethX) traffic should go out without ado due to the network route.

Offline

#28 2018-06-19 08:01:38

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: openvpn server and client on same box

ralph.ronnquist wrote:

mmm ... all 192.168.x.0/24 (ethX) traffic should go out without ado due to the network route.

Sure but if his internal VPN server gets a connection from the internet that won't be from 192.168.x.0/24 or any kind of local address but a random WAN IP (which OP doesn't know beforehand so no chance to set a conventional route for it) and when the server attempts to answer the only route matching the destination IP will be the default route pointing at tunY.

It's a bit of a weird setup to actually have a need for routing based on source port (well, at least that's how i'd single out traffic originating from his internal VPN server) rather than destination IP but in this case i don't see how it could work otherwise. Well, i guess he might get away with source based routing also but in that case all traffic originating at eth0 (or rather it's IP) would get routed through eth0 (his normal internet connection). That might spare him the tagging of individual packets but it's not exactly (as i understand it) what he is asking for and imo it wouldn't be all that much simpler.

Last edited by devuser (2018-06-19 08:42:11)

Offline

#29 2018-06-19 11:46:43

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,251  

Re: openvpn server and client on same box

There are probably many holes in my understanding, but isn't it so, that the server-vpn program already interacts on eth0 for handling its clients; so it's response packets are already outbound on eth0 without any routing?

Offline

#30 2018-06-19 12:58:39

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: openvpn server and client on same box

ralph.ronnquist wrote:

There are probably many holes in my understanding, but isn't it so, that the server-vpn program already interacts on eth0 for handling its clients; so it's response packets are already outbound on eth0 without any routing?

Well, not saying i am total expert here either. I've done a bit of weird stuff like per user routing and so on but it's not like i deal with this on a regular basis. Still to my best knowledge the kernel doesn't care where a packet was received when sending a reply. It just goes by what the routing table says. The reply packets disappearing from eth0 as soon as the tunY default route is up imo underlines this. Also when you look into reverse path filtering you'll see that it deals with exactly such cases (seems it's not used by default in Devuan - Ubuntu for example does use it by default i think - otherwise OP would have to disable it to not have the kernel outright drop the incoming packets).

Last edited by devuser (2018-06-19 13:06:24)

Offline

#31 2018-06-20 00:10:35

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,251  

Re: openvpn server and client on same box

Gems of knowledge into my sea of ignorance .. I hope the OP gets to mark this as solved soon.

Offline

#32 2018-06-20 21:34:42

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: openvpn server and client on same box

ralph.ronnquist wrote:

Gems of knowledge into my sea of ignorance .. I hope the OP gets to mark this as solved soon.

Sorry, i hate coming across as a smartass sad Anyways, i also hope there will be a satisfying solution.

Offline

Board footer