Forums

Max
Max
Offline
Resolved
0 votes
I am trying to run a solution based on ClearOS ...

I've red this-> https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_openvpn
And I've established VPN tun beetween a ClearOS server and client. I've added "push "redirect-gateway def1 bypass-dhcp"" in clients.conf on server side. So all my configs are qite default.

But, there is no ping from server side to client side. I can ping server(10.8.10.1) from client, not client(10.8.10.6) from server.

What I've missed ? And what I've to do to run traffic from server side throght VPN tun ?

Thanks.
In OpenVPN
Sunday, January 12 2020, 10:24 PM
Share this post:
Responses (14)
  • Accepted Answer

    Sunday, January 19 2020, 09:49 PM - #Permalink
    Resolved
    0 votes
    Thinking about it, perhaps that traffic does not exist as it is encapsulated in an OpenVPN packet by then.
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Sunday, January 19 2020, 09:01 PM - #Permalink
    Resolved
    0 votes
    I've tried $IPTABLES -t nat -A POSTROUTING -p tcp --dport 8082 -d 10.8.0.6 -j SNAT --to-source XX.XXX.XXX.XX
    Does not work ...

    Seems forwarding does not work in my ClearOS installation.
    How can I check, does system do prerouting realy or not ?
    Are there appropriate logs in ClearOS ?
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 19 2020, 12:50 PM - #Permalink
    Resolved
    0 votes
    So perhaps you need your POSTROUTING rule to SNAT the return packet but don't SNAT the port, just the IP address.
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Sunday, January 19 2020, 11:49 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:
    I still don't see how any of this can work as the furthest the packets can ever go is 10.8.0.6 unless you have some extra routing and firewall rules going on in 10.8.0.6 to get to the 192.168.0.x LAN.


    I have port forwarding rule on client 10.8.0.6:8082 -> 192.168.0.x:8082, So it's an extra routing, that is why telnet 10.8.0.6 8082 works successfully ... isn't it ?

    So I think there are some problems in my ClearOS settings.
    No I have only this -> $IPTABLES -t nat -A PREROUTING -d XX.XXX.XX.XX -p tcp --dport 8082 -j DNAT --to-destination 10.8.0.6:8082

    Does not work.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 19 2020, 09:27 AM - #Permalink
    Resolved
    0 votes
    The FORWARD rule should not be needed as all tun+ traffic is allowed by default.

    I still don't see how any of this can work as the furthest the packets can ever go is 10.8.0.6 unless you have some extra routing and firewall rules going on in 10.8.0.6 to get to the 192.168.0.x LAN.

    Are you in control of the web server? If so, run the OpenVPN client on it. Then you can access it directly. Otherwise look at the link I gave to connect two networks together.

    If your webserver is a Windows device, make sure it is accepting packets from outside its own subnet.
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Saturday, January 18 2020, 10:35 PM - #Permalink
    Resolved
    0 votes
    Now I have:

    telnet 10.8.0.6 8082
    Trying 10.8.0.6...
    Connected to 10.8.0.6.

    $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -s XX.XXX.XXX.XX/27 --dport 8082 -j DNAT --to-destination 10.8.0.6
    $IPTABLES -t nat -A OUTPUT -d XX.XXX.XXX.XX -p tcp --dport 8082 -j DNAT --to-destination 10.8.0.6
    $IPTABLES -A FORWARD -p tcp -s XX.XXX.XXX.XX/27 -d 10.8.0.6 --dport 8082 -j ACCEPT

    Does not work ...
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Saturday, January 18 2020, 08:53 PM - #Permalink
    Resolved
    0 votes
    I've set up all forwarning on client side network.
    So now teltet 10.8.0.6 8082 in ClearOS establishes connection with target host in theLAN. Does it means the route is correct ?
    I thik yes, so the last step is forwarding ClearOS:8082 to 10.8.0.6 8082, it's qite the same like giving access to web-server in LAN behind the ClearOS.

    Am I wrong ?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 18 2020, 07:56 PM - #Permalink
    Resolved
    0 votes
    That is a mess. Using ClearOS OpenVPN allows a roadwarrior to connect to ClearOS. It does not contain the configs to address a remote LAN. The problem is more at the pfSense end where you need additional routing. You may do better to see this Howto - Connecting Networks with OpenVPN.
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Saturday, January 18 2020, 06:30 PM - #Permalink
    Resolved
    0 votes
    Ok.

    <-Internet -> ClearOS server (VPN 10.8.0.1) <- VPN tun -> pfSense( VPN 10.8.0.6) <- LAN(192.168.1.x)-> WebServer

    ClearOS has webconfig on port 81
    I need WebServer to be available on port 8082 of ClearOS
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 18 2020, 05:58 PM - #Permalink
    Resolved
    0 votes
    I'm sorry but I can't picture your set up. Can you do a brief diagram with IP Addresses and subnets?
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Saturday, January 18 2020, 05:40 PM - #Permalink
    Resolved
    0 votes
    I need an acces to web server in LAN through static IP of ClearOS server.
    LAN does not have static IP, it's only connected to ClearOS by VPN.
    So I've opened port which I want to forward to LAN.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 17 2020, 09:18 PM - #Permalink
    Resolved
    0 votes
    What are you trying to do? It looks like you want something on your LAN, when it tries to access ClearOS_IP:8082 to get redirected to 10.8.0.6? In that case the PREROUTING looks OK but I would not specify the port in the --to-destination. The POSTROUTING rule looks wrong and should not have the port specified in the --to-source. I am not even sure if the POSTROUTING rule is needed at all.

    You shouldn't open incoming ports at the same time as trying to forward them. All ports are open to the LAN anyway.
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Friday, January 17 2020, 08:06 PM - #Permalink
    Resolved
    0 votes
    Thank you for response.

    I've done pinging. Firewall of pfSense client requires special rule for ICMP.

    So now I am trying to redirect 8082 port from ClearOS to LAN, I've set two rules of custom firewall:
    $IPTABLES -t nat -A POSTROUTING -p tcp --dport 8082 -d 10.8.0.6 -j SNAT --to-source "ClearOS IP":8082
    $IPTABLES -t nat -A PREROUTING -d "ClearOS IP" -p tcp --dport 8082 -j DNAT --to-destination 10.8.0.6:8082
    And I've enabled 8082 for incoming firewall.

    But these does not make accessible my service in LAN through public IP of ClearOS.

    looks like I've missed something again, could you advise me please, what I have to check ?

    I checked 10.8.0.6:8082 by telnet, it's active.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 13 2020, 08:54 AM - #Permalink
    Resolved
    0 votes
    Generally you'd be using UDP and not TCP, so if everything is as default your subnet is 10.8.0.0/24 and not 10.8.10.0/24. Are you sure of your IP addresses? Also you don't need the "push "redirect-gateway def1 bypass-dhcp"" to establish communication. That is only for if you want all traffic from the client to go through the VPN and not just server subnet traffic.

    The other thing to look at is, if you are pinging from your LAN to the Client and your client is Windows, you may need to open up the Windows firewall to your LAN subnet (for pings, or all traffic or specific traffic).
    The reply is currently minimized Show
Your Reply