Thanks Lonnie! It's working now; the key was this:
«the default OpenVPN Server "tun0" interface is treated as an internal LAN interface» I only had to add the «Pass EXT->LAN» rules you mentioned to make it work, no need to disable NAT on tun0 interface as the Openvpn server had already remote networks routed and was not using NAT. Thanks for your help as always. Gonzalo. > >Message: 2 >Date: Fri, 10 Nov 2017 22:39:11 -0600 >From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> >Subject: Re: [Astlinux-users] LAN not able to reach remote network > through Openvpn >Message-ID: <e9af4487-54e4-4e3d-8e81-9f0b9a11d...@lonnie.abelbeck.com> >Content-Type: text/plain; charset=iso-8859-1 > > >On Nov 10, 2017, at 7:35 PM, Gonzalo Ib??ez <goniba...@hotmail.com> >wrote: > >> Hi all, >> >> I've a problem that may be has been solved before but I can't find a >solution through documentation nor searching on this list archive. >> >> My scenario is an Astlinux box with only an EXTINF (no LAN interface) >directly connected to my internet router through the local LAN >192.168.1.0/24. I'm able to access Astlinux box from LAN through EXTINF >by adding a 'Pass EXT->Local' firewall rule. >> >> The Astlinux server is running an Openvpn server with network >10.0.0.0/24 and there's a remote location with LAN 192.168.2.0/24 >permanently connected by vpn so that they can reach local LAN >192.168.1.0/24 but the problem is I can't reach remote 192.168.2.0/24 >from 192.168.1.0/24. 192.168.2.0/24 is reachable directly from Astlinux >box so I suspect the problem is related to NAT/Arno firewall >configuration. I've tried different iptables configurations without >success so far. >> >> Any idea? > >I think I follow your setup ... > >Remote 192.168.2.0/24 is routed to (OpenVPN) 10.0.0.0/24 within >AstLinux which is NAT'ed to EXT 192.168.1.0/24, and the return path >works via the NAT firewall state. > >BTW, the default OpenVPN Server "tun0" interface is treated as an >internal LAN interface, which is NAT'ed to the external interface. > >For your situation, it may be better if the tun0 interface is routed to >the EXT 192.168.1.0/24, but that is a little more complicated. > >First, disable NAT for the tun0 interface (OpenVPN Server) > >-- Add to /mnt/kd/rc.conf.d/user.conf -- >NONAT="tun0" >-- > >Second, the 192.168.1.0/24 network must have firewall access to the >192.168.2.0/24 network, that can be done by adding firewall rules for >TCP/UDP and ICMP ... >-- >Pass EXT->LAN Source: 192.168.1.0/24 >Protocol: [TCP/UDP] Destination: 192.168.2.0/24 Port: ___ (empty for >any port) >-- >Pass EXT->LAN Source: 192.168.1.0/24 >Protocol: [ ICMP ] Destination: 192.168.2.0/24 >-- > >Now, restart the firewall via the web interface. > >Finally, you need a static route telling your 192.168.1.0/24 network >that the 192.168.2.0/24 network is via 192.168.1.nn (the AstLinux box >external IP). Note that this route is not for AstLinux, but rather for >the 192.168.1.0/24 router or a specific 192.168.1.0/24 device. > >I may have missed something, not tested, but just might work :-) > >Be sure to do a "ip r" on AstLinux to make sure all the routes exist >you expect. > >Lonnie > > > > > > > >------------------------------ ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
