Hi Gonzalo, Great ! That makes sense since the 192.168.2.0/24 network would not be NAT'ed by tun0 anyway.
Thanks for reporting your results. Lonnie On Nov 11, 2017, at 1:54 PM, Gonzalo Ibáñez <goniba...@hotmail.com> wrote: > Thanks Lonnie! > > It's working now; the key was this: > > «the default OpenVPN Server "tun0" interface is treated as an internal LAN > interface» > > I only had to add the «Pass EXT->LAN» rules you mentioned to make it work, no > need to disable NAT on tun0 interface as the Openvpn server had already > remote networks routed and was not using NAT. > > Thanks for your help as always. > > Gonzalo. > > > >> >> Message: 2 >> Date: Fri, 10 Nov 2017 22:39:11 -0600 >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] LAN not able to reach remote network >> through Openvpn >> Message-ID: <e9af4487-54e4-4e3d-8e81-9f0b9a11d...@lonnie.abelbeck.com> >> Content-Type: text/plain; charset=iso-8859-1 >> >> >> On Nov 10, 2017, at 7:35 PM, Gonzalo Ib??ez <goniba...@hotmail.com> >> wrote: >> >>> Hi all, >>> >>> I've a problem that may be has been solved before but I can't find a >> solution through documentation nor searching on this list archive. >>> >>> My scenario is an Astlinux box with only an EXTINF (no LAN interface) >> directly connected to my internet router through the local LAN >> 192.168.1.0/24. I'm able to access Astlinux box from LAN through EXTINF >> by adding a 'Pass EXT->Local' firewall rule. >>> >>> The Astlinux server is running an Openvpn server with network >> 10.0.0.0/24 and there's a remote location with LAN 192.168.2.0/24 >> permanently connected by vpn so that they can reach local LAN >> 192.168.1.0/24 but the problem is I can't reach remote 192.168.2.0/24 >> from 192.168.1.0/24. 192.168.2.0/24 is reachable directly from Astlinux >> box so I suspect the problem is related to NAT/Arno firewall >> configuration. I've tried different iptables configurations without >> success so far. >>> >>> Any idea? >> >> I think I follow your setup ... >> >> Remote 192.168.2.0/24 is routed to (OpenVPN) 10.0.0.0/24 within >> AstLinux which is NAT'ed to EXT 192.168.1.0/24, and the return path >> works via the NAT firewall state. >> >> BTW, the default OpenVPN Server "tun0" interface is treated as an >> internal LAN interface, which is NAT'ed to the external interface. >> >> For your situation, it may be better if the tun0 interface is routed to >> the EXT 192.168.1.0/24, but that is a little more complicated. >> >> First, disable NAT for the tun0 interface (OpenVPN Server) >> >> -- Add to /mnt/kd/rc.conf.d/user.conf -- >> NONAT="tun0" >> -- >> >> Second, the 192.168.1.0/24 network must have firewall access to the >> 192.168.2.0/24 network, that can be done by adding firewall rules for >> TCP/UDP and ICMP ... >> -- >> Pass EXT->LAN Source: 192.168.1.0/24 >> Protocol: [TCP/UDP] Destination: 192.168.2.0/24 Port: ___ (empty for >> any port) >> -- >> Pass EXT->LAN Source: 192.168.1.0/24 >> Protocol: [ ICMP ] Destination: 192.168.2.0/24 >> -- >> >> Now, restart the firewall via the web interface. >> >> Finally, you need a static route telling your 192.168.1.0/24 network >> that the 192.168.2.0/24 network is via 192.168.1.nn (the AstLinux box >> external IP). Note that this route is not for AstLinux, but rather for >> the 192.168.1.0/24 router or a specific 192.168.1.0/24 device. >> >> I may have missed something, not tested, but just might work :-) >> >> Be sure to do a "ip r" on AstLinux to make sure all the routes exist >> you expect. >> >> Lonnie >> >> >> >> >> >> >> >> ------------------------------ > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
