I am trying to run a solution based on ClearOS ...
I've red this-> https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_openvpn
And I've established VPN tun beetween a ClearOS server and client. I've added "push "redirect-gateway def1 bypass-dhcp"" in clients.conf on server side. So all my configs are qite default.
But, there is no ping from server side to client side. I can ping server(10.8.10.1) from client, not client(10.8.10.6) from server.
What I've missed ? And what I've to do to run traffic from server side throght VPN tun ?
Thanks.
I've red this-> https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_openvpn
And I've established VPN tun beetween a ClearOS server and client. I've added "push "redirect-gateway def1 bypass-dhcp"" in clients.conf on server side. So all my configs are qite default.
But, there is no ping from server side to client side. I can ping server(10.8.10.1) from client, not client(10.8.10.6) from server.
What I've missed ? And what I've to do to run traffic from server side throght VPN tun ?
Thanks.
In OpenVPN
Share this post:
Responses (14)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
I still don't see how any of this can work as the furthest the packets can ever go is 10.8.0.6 unless you have some extra routing and firewall rules going on in 10.8.0.6 to get to the 192.168.0.x LAN.
I have port forwarding rule on client 10.8.0.6:8082 -> 192.168.0.x:8082, So it's an extra routing, that is why telnet 10.8.0.6 8082 works successfully ... isn't it ?
So I think there are some problems in my ClearOS settings.
No I have only this -> $IPTABLES -t nat -A PREROUTING -d XX.XXX.XX.XX -p tcp --dport 8082 -j DNAT --to-destination 10.8.0.6:8082
Does not work. -
Accepted Answer
The FORWARD rule should not be needed as all tun+ traffic is allowed by default.
I still don't see how any of this can work as the furthest the packets can ever go is 10.8.0.6 unless you have some extra routing and firewall rules going on in 10.8.0.6 to get to the 192.168.0.x LAN.
Are you in control of the web server? If so, run the OpenVPN client on it. Then you can access it directly. Otherwise look at the link I gave to connect two networks together.
If your webserver is a Windows device, make sure it is accepting packets from outside its own subnet. -
Accepted Answer
Now I have:
telnet 10.8.0.6 8082
Trying 10.8.0.6...
Connected to 10.8.0.6.
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -s XX.XXX.XXX.XX/27 --dport 8082 -j DNAT --to-destination 10.8.0.6
$IPTABLES -t nat -A OUTPUT -d XX.XXX.XXX.XX -p tcp --dport 8082 -j DNAT --to-destination 10.8.0.6
$IPTABLES -A FORWARD -p tcp -s XX.XXX.XXX.XX/27 -d 10.8.0.6 --dport 8082 -j ACCEPT
Does not work ... -
Accepted Answer
I've set up all forwarning on client side network.
So now teltet 10.8.0.6 8082 in ClearOS establishes connection with target host in theLAN. Does it means the route is correct ?
I thik yes, so the last step is forwarding ClearOS:8082 to 10.8.0.6 8082, it's qite the same like giving access to web-server in LAN behind the ClearOS.
Am I wrong ? -
Accepted Answer
That is a mess. Using ClearOS OpenVPN allows a roadwarrior to connect to ClearOS. It does not contain the configs to address a remote LAN. The problem is more at the pfSense end where you need additional routing. You may do better to see this Howto - Connecting Networks with OpenVPN. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
What are you trying to do? It looks like you want something on your LAN, when it tries to access ClearOS_IP:8082 to get redirected to 10.8.0.6? In that case the PREROUTING looks OK but I would not specify the port in the --to-destination. The POSTROUTING rule looks wrong and should not have the port specified in the --to-source. I am not even sure if the POSTROUTING rule is needed at all.
You shouldn't open incoming ports at the same time as trying to forward them. All ports are open to the LAN anyway. -
Accepted Answer
Thank you for response.
I've done pinging. Firewall of pfSense client requires special rule for ICMP.
So now I am trying to redirect 8082 port from ClearOS to LAN, I've set two rules of custom firewall:
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 8082 -d 10.8.0.6 -j SNAT --to-source "ClearOS IP":8082
$IPTABLES -t nat -A PREROUTING -d "ClearOS IP" -p tcp --dport 8082 -j DNAT --to-destination 10.8.0.6:8082
And I've enabled 8082 for incoming firewall.
But these does not make accessible my service in LAN through public IP of ClearOS.
looks like I've missed something again, could you advise me please, what I have to check ?
I checked 10.8.0.6:8082 by telnet, it's active. -
Accepted Answer
Generally you'd be using UDP and not TCP, so if everything is as default your subnet is 10.8.0.0/24 and not 10.8.10.0/24. Are you sure of your IP addresses? Also you don't need the "push "redirect-gateway def1 bypass-dhcp"" to establish communication. That is only for if you want all traffic from the client to go through the VPN and not just server subnet traffic.
The other thing to look at is, if you are pinging from your LAN to the Client and your client is Windows, you may need to open up the Windows firewall to your LAN subnet (for pings, or all traffic or specific traffic).
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »