[Solved] Problem routing through openvpn out through ext_if on another server

blodan · #1 February 3rd, 2012, 21:34

Hi!

I have a pretty straight forward route I want to do with pf + openvpn, but somehow I can not get it working and I have been scratching my head for 3 hours now and I am feeling I am going to give myself a facepalm when receiving the answer here

So here it goes:
We have a office in Sweden and a server in Norway, they are connected together with openvpn on the range 10.0.2.0/24

For your information:
- Both servers has FreeBSD 8.2 with pf compiled in the kernel
- I do have gateway enabled on both servers.
- The server in Norway has ip 10.0.2.6 on the VPN and is fully accessable from anywhere on the Swedish network.

In Sweden the office has a LAN on 10.0.0.0/24, now I have no problem routing traffic going to 10.0.2.0/24 to the VPN. This has easily been solved with this line on the Swedish firewall

Code:

nat on $server_vpn_if from $int_if:network to any -> ($server_vpn_if)

(Meaning I have no problem running ping/ssh or whatever to 10.0.2.6)

Now, I want to route all traffic on port 80 from a desktop on the LAN in Sweden with the ip 10.0.0.50 (I am just trying out with port 80 for test purposes).

I thought this was done with this configuration:
Sweden

Code:

pass in quick on $int_if route-to ($server_vpn_if 10.0.2.6) proto tcp from 10.0.0.50 to any port { 80 } keep state

Norway

Code:

nat on $ext_if from $vpn_if to any -> ($ext_if)

But apperently not, I have tried a bunch of other rules too but haven not been able to come up with a working pair.

Anyone have any pointers or how to debug this? Any help is appreciated as I am really stuck now

**SirDice** · #2 February 6th, 2012, 08:39

Why are you using NAT? There's no need for it. Just make sure all three networks (Norway, Sweden and VPN) use different subnets. Plain and simple routing will do the rest. NAT only complicates things unnecessarily.

blodan · #3 February 7th, 2012, 15:58

Thanks for the pointers SirDice!

I have now removed the NAT in Sweden and pushed correct routes to all clients. So now the LAN in Sweden can reach the server in norway without any NAT's.

However, I still can't get the route-to line working to route http traffic through Norway out to internet for a certain Swedish LAN ip.

Code:

pass in quick log on $int_if route-to ($server_vpn_if 10.0.2.6) proto tcp from 10.0.0.50 to any port 80 keep state

When I run tcpdump on the firewall in Sweden I get this output (from the rule above):

Code:

00:00:00.250214 rule 1089/0(match): pass in on bge0: (tos 0x0, ttl 128, id 53635, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.0.50.50688 > 208.79.211.112.80:  tcp 24 [bad hdr length 8 - too short, < 20]

However no traffic turns up on 10.0.2.6 in tcpdump on that machine, and I cant figure out whats up with the bad hdr message as I am just making a http-request with FireFox, any clues?

**SirDice** · #4 February 7th, 2012, 17:04

I don't think you need to do anything on the Swedish side. All traffic is already routed through the VPN as you can reach Norwegian servers from Sweden.

Or am I missing some information?

blodan · #5 February 7th, 2012, 21:52

Hmm, I don't know what information that would be

All traffic has the defaultroute to go out the Swedish gateway from the LAN in Sweden, I now want to route all the outgoing traffic on port 80 for a certain IP on the Swedish LAN. (In the example above 10.0.0.50)

So if I don't have any nat/route lines in my pf.conf the http traffic goes out through the Swedish ISP and what I want to do is route that traffic through the VPN out through the Norwegian ISP. Sorry if this sounds messy, I don't know how to describe it more easilly.

Thanks for trying to help!

blodan · #6 April 27th, 2012, 17:17

[ merged topic -- Mod. ]

Hi guys!

This is a pretty advanced setup so bear with me when reading through my description

To illustrate my setup I have made this image where the red arrows are the route I do not manage to accomplish whereas all the grey arrows normal routing works fine.
http://www.produktion203.se/routing.jpg

So simply put what I'm trying to do is route traffic from my office LAN through openvpn out another office acting as an openvpn client's internet connection.

Now connecting from 10.0.0.0/24 to 10.0.2.14 works fine and vice-versa.

What I can't accomplish is routing outgoing internet traffic through the openvpn client, I'm trying this by manually adding a route for a site, in this example let's say www.openvpn.net which has IP 67.228.116.150. So what I do is add a route for it with

Code:

route add 67.228.116.150/32 10.0.2.14

on fw.

Now the traffic to http://www.openvpn.net gets sent through the tun0 interface on fw when I check the interface with tcpdump

Code:

00:00:00.000000 AF IPv4 (2), length 56: 10.0.0.168.49706 > 67.228.116.150.80: Flags [S], seq 2353234171, win 8192,
 options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:03.004004 AF IPv4 (2), length 56: 10.0.0.168.49706 > 67.228.116.150.80: Flags [S], seq 2353234171, win 8192,
 options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:03.434721 AF IPv4 (2), length 56: 10.0.0.168.49707 > 67.228.116.150.80: Flags [S], seq 375212824, win 8192,
 options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

But it never ends up on the client's tun0 at all whereas no traffic that does not have a destination of 10.0.2.14 goes to it even though it's supposed to get routed to it.

I'm thinking I have to enter something in the openvpn config to allow non-vpn-IP traffic to be sent to a vpn-IP, or?

blodan · #7 April 27th, 2012, 19:51

Yay, got a solution from mokomull on ##freebsd

Here's what needed to be done in my scenario, this example is for whatsmyip.org:
add a route to fw telling fw to route traffic for whatsmyip.org to the vpn

Code:

route add 208.79.0.0/16 10.0.2.14

Now this sends the traffic to tun0 on fw which I had already managed, however openvpn did not know what to do with it.

The solution is to add the iroute command to the client's config, in this case

Code:

iroute 208.79.0.0 255.255.0.0

which tells openvpn that that vpn client handles that range.

Traffic now goes through openvpn to the client on 10.0.2.14

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] ext_if -> rdr -> localhost -> ext_if Not working (as I intend) for UDP	LinuXY	Firewalls	2	February 27th, 2012 19:33
ipfw nat openvpn routing problem	leonetix	Firewalls	1	August 17th, 2011 03:34
OpenVPN routing (no NAT)	bsdzip	Networking	1	April 13th, 2010 13:37
Jail routing back to OpenVPN Server	bjs	Networking	2	November 22nd, 2009 21:24