Non-gateway ubuntu client for site-to-site
Hey guys and gals, i'm trying to set up a site-to-site SSL/TLS tunnel between a PFsense VPS and an Ubuntu server on my LAN. The ubuntu server is not the gateway on the LAN. I have been trying to figure this out for 2 days and could really use some assistance!
Tunnel network: 10.99.90.0/30
The tunnel is up; ubuntu can reach all other sites and their respective clients and all other sites and their clients can reach the ubuntu server, but nothing on my home LAN can traverse the tunnel through ubuntu (or vice-versa). My other sites all have pfsense boxes as their gateways, so that was easy. This is the first time i'm trying to use ubuntu because for reasons i can't use pfsense
I have created static routes on my home gateway to point VPN traffic to teh ubuntu server. So at this point I think i need some iptables rules to tell ubuntu what to do with the traffic, but i really don't know anything about iptables. Or that may be completely off-base. Does anyone have any suggestions? Please and thanks.
In case it's needed, here is my server config:
dev ovpns2 verb 3 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local <<STATIC IP ADDRESS>> tls-server ifconfig 10.99.90.1 10.99.90.2 tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<<DOMAIN NAME>>' 1" lport 1195 management /var/etc/openvpn/server2.sock unix push "route 10.0.1.0 255.255.255.0" route 10.2.1.0 255.255.255.0 ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server2.tls-auth 0 ncp-ciphers AES-128-GCM compress
Client specific overrides (are these even needed? Should i just configure these settings on the server, since there is only 1 client/site for this server?)
client-to-client push "route 10.3.1.0 255.255.255.0" push "route 10.99.99.0 255.255.255.240" push "route 10.0.60.0 255.255.255.0" iroute 10.3.1.0 255.255.255.0
Client (ubuntu) config file:
verb 3 remote <<PFSENSE IP ADDRESS>> tls-client dev-type tun dev tun persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA256 ifconfig 10.99.90.2 10.99.90.1 port 1195 route 10.0.1.0 255.255.255.0 route 10.3.1.0 255.255.255.0 route 10.99.99.0 255.255.255.240 route 10.0.60.0 255.255.255.0 ca /etc/openvpn/client/client2.ca cert /etc/openvpn/client/client2.cert key /etc/openvpn/client/client2.key ncp-ciphers AES-128-GCM compress tls-auth client2.tlskey 0 key-direction 1
yes, you need iptables rules, this is more a ubuntu problem you should ask them but i think you need something like
sudo iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
sudo iptables -I FORWARD 1 -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
I have created static routes on my home gateway to point VPN traffic to teh ubuntu server.
That will end up in an asymmetric routing issue.
You either need a static route on each device you want access from the remote site or you do masquerading on Ubuntu like @kiokoman suggested with his first iptable rule.
@viragomann what is the difference in a static route on each device vs a static route on the GW? The routes and the iptables rules serve different purposes, would they not both be necessary?
Static route on the router, the VPN client is within the same subnet as other devices you want to access from remote:
The packets pass the VPN client (Ubuntu) and reach the destination device. The LAN device send a respond packet to its default gateway, since it has no route to the source IP. The gateway directs the packet to the VPN client.
That will work for stateless connections like ICMP (e.g. pings), but not for TCP, cause the router has no state for that connection, so it will drop the response packet and the communication will fail.
If each destination device has a route to the remote network pointing to the VPN client, responses are sent directly to it and the communication works.
Masquerading is a workaround for that and is sufficient for home use. It translates the source addresses of request packets into the LAN interface address when packets going out to LAN. So destination devices will send their requests back to the VPN client which will forward the packets to the origin source IP.
That is what the first iptable rule of @kiokoman do.
So you don't need both, routes and masquerading. However, you will need the lines 2 and 3 of the iptables rules suggested by @kiokoman above anyway.
@viragomann Thank you for the explanation, i was able to get it working with the masquerade rule and a local static route.
Is there any way to configure this so that it doesn't require a static route on each device? By moving the ubuntu server to a different subnet maybe?
@bkcberry i was able to fix the asymmetric route with a policy based route on my router. Thanks everyone!!