Non-gateway ubuntu client for site-to-site



  • Hey guys and gals, i'm trying to set up a site-to-site SSL/TLS tunnel between a PFsense VPS and an Ubuntu server on my LAN. The ubuntu server is not the gateway on the LAN. I have been trying to figure this out for 2 days and could really use some assistance!

    Pfsense:
    LAN: 10.0.1.0/24
    Tunnel network: 10.99.90.0/30

    Home:
    LAN: 10.2.1.0/24

    The tunnel is up; ubuntu can reach all other sites and their respective clients and all other sites and their clients can reach the ubuntu server, but nothing on my home LAN can traverse the tunnel through ubuntu (or vice-versa). My other sites all have pfsense boxes as their gateways, so that was easy. This is the first time i'm trying to use ubuntu because for reasons i can't use pfsense

    I have created static routes on my home gateway to point VPN traffic to teh ubuntu server. So at this point I think i need some iptables rules to tell ubuntu what to do with the traffic, but i really don't know anything about iptables. Or that may be completely off-base. Does anyone have any suggestions? Please and thanks.

    In case it's needed, here is my server config:

    dev ovpns2
    verb 3
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local <<STATIC IP ADDRESS>>
    tls-server
    ifconfig 10.99.90.1 10.99.90.2
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<<DOMAIN NAME>>' 1"
    lport 1195
    management /var/etc/openvpn/server2.sock unix
    push "route 10.0.1.0 255.255.255.0"
    route 10.2.1.0 255.255.255.0
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    ncp-ciphers AES-128-GCM
    compress
    

    Client specific overrides (are these even needed? Should i just configure these settings on the server, since there is only 1 client/site for this server?)

    client-to-client
    push "route 10.3.1.0 255.255.255.0"
    push "route 10.99.99.0 255.255.255.240"
    push "route 10.0.60.0 255.255.255.0"
    iroute 10.3.1.0 255.255.255.0
    

    Client (ubuntu) config file:

    verb 3
    remote <<PFSENSE IP ADDRESS>>
    tls-client
    dev-type tun
    dev tun
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA256
    ifconfig 10.99.90.2 10.99.90.1
    port 1195
    route 10.0.1.0 255.255.255.0
    route 10.3.1.0 255.255.255.0
    route 10.99.99.0 255.255.255.240
    route 10.0.60.0 255.255.255.0
    ca /etc/openvpn/client/client2.ca
    cert /etc/openvpn/client/client2.cert
    key /etc/openvpn/client/client2.key
    ncp-ciphers AES-128-GCM
    compress
    tls-auth client2.tlskey 0
    key-direction 1
    

  • LAYER 8

    yes, you need iptables rules, this is more a ubuntu problem you should ask them but i think you need something like
    sudo iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
    sudo iptables -I FORWARD 1 -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT



  • @bkcberry said in Non-gateway ubuntu client for site-to-site:

    I have created static routes on my home gateway to point VPN traffic to teh ubuntu server.

    That will end up in an asymmetric routing issue.
    You either need a static route on each device you want access from the remote site or you do masquerading on Ubuntu like @kiokoman suggested with his first iptable rule.



  • @viragomann what is the difference in a static route on each device vs a static route on the GW? The routes and the iptables rules serve different purposes, would they not both be necessary?



  • Static route on the router, the VPN client is within the same subnet as other devices you want to access from remote:
    The packets pass the VPN client (Ubuntu) and reach the destination device. The LAN device send a respond packet to its default gateway, since it has no route to the source IP. The gateway directs the packet to the VPN client.
    That will work for stateless connections like ICMP (e.g. pings), but not for TCP, cause the router has no state for that connection, so it will drop the response packet and the communication will fail.

    If each destination device has a route to the remote network pointing to the VPN client, responses are sent directly to it and the communication works.

    Masquerading is a workaround for that and is sufficient for home use. It translates the source addresses of request packets into the LAN interface address when packets going out to LAN. So destination devices will send their requests back to the VPN client which will forward the packets to the origin source IP.
    That is what the first iptable rule of @kiokoman do.

    So you don't need both, routes and masquerading. However, you will need the lines 2 and 3 of the iptables rules suggested by @kiokoman above anyway.



  • @viragomann Thank you for the explanation, i was able to get it working with the masquerade rule and a local static route.

    Is there any way to configure this so that it doesn't require a static route on each device? By moving the ubuntu server to a different subnet maybe?



  • @bkcberry i was able to fix the asymmetric route with a policy based route on my router. Thanks everyone!!


Log in to reply