Hi Gonzalo,

Great ! That makes sense since the 192.168.2.0/24 network would not be NAT'ed 
by tun0 anyway.

Thanks for reporting your results.

Lonnie


On Nov 11, 2017, at 1:54 PM, Gonzalo Ibáñez <goniba...@hotmail.com> wrote:

> Thanks Lonnie! 
> 
> It's working now; the key was this:
> 
> «the default OpenVPN Server "tun0" interface is treated as an internal LAN 
> interface»
> 
> I only had to add the «Pass EXT->LAN» rules you mentioned to make it work, no 
> need to disable NAT on tun0 interface as the Openvpn server had already 
> remote networks routed and was not using NAT.
> 
> Thanks for your help as always.
> 
> Gonzalo.
> 
> 
> 
>> 
>> Message: 2
>> Date: Fri, 10 Nov 2017 22:39:11 -0600
>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>> To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net>
>> Subject: Re: [Astlinux-users] LAN not able to reach remote network
>>      through Openvpn
>> Message-ID: <e9af4487-54e4-4e3d-8e81-9f0b9a11d...@lonnie.abelbeck.com>
>> Content-Type: text/plain; charset=iso-8859-1
>> 
>> 
>> On Nov 10, 2017, at 7:35 PM, Gonzalo Ib??ez <goniba...@hotmail.com>
>> wrote:
>> 
>>> Hi all,
>>> 
>>> I've a problem that may be has been solved before but I can't find a
>> solution through documentation nor searching on this list archive.
>>> 
>>> My scenario is an Astlinux box with only an EXTINF (no LAN interface)
>> directly connected to my internet router through the local LAN
>> 192.168.1.0/24. I'm able to access Astlinux box from LAN through EXTINF
>> by adding a 'Pass EXT->Local' firewall rule.
>>> 
>>> The Astlinux server is running an Openvpn server with network
>> 10.0.0.0/24 and there's a remote location with LAN 192.168.2.0/24
>> permanently connected by vpn so that they can reach local LAN
>> 192.168.1.0/24 but the problem is I can't reach remote  192.168.2.0/24
>> from 192.168.1.0/24. 192.168.2.0/24 is reachable directly from Astlinux
>> box so I suspect the problem is related to NAT/Arno firewall
>> configuration. I've tried different iptables configurations without
>> success so far.
>>> 
>>> Any idea? 
>> 
>> I think I follow your setup ...
>> 
>> Remote 192.168.2.0/24 is routed to (OpenVPN) 10.0.0.0/24 within
>> AstLinux which is NAT'ed to EXT 192.168.1.0/24, and the return path
>> works via the NAT firewall state.
>> 
>> BTW, the default OpenVPN Server "tun0" interface is treated as an
>> internal LAN interface, which is NAT'ed to the external interface.
>> 
>> For your situation, it may be better if the tun0 interface is routed to
>> the EXT 192.168.1.0/24, but that is a little more complicated.
>> 
>> First, disable NAT for the tun0 interface (OpenVPN Server)
>> 
>> -- Add to /mnt/kd/rc.conf.d/user.conf --
>> NONAT="tun0"
>> --
>> 
>> Second, the 192.168.1.0/24 network must have firewall access to the
>> 192.168.2.0/24 network, that can be done by adding firewall rules for
>> TCP/UDP and ICMP ...
>> --
>> Pass EXT->LAN   Source: 192.168.1.0/24
>> Protocol: [TCP/UDP]  Destination: 192.168.2.0/24  Port: ___  (empty for
>> any port)
>> --
>> Pass EXT->LAN   Source: 192.168.1.0/24
>> Protocol: [ ICMP ]  Destination: 192.168.2.0/24
>> --
>> 
>> Now, restart the firewall via the web interface.
>> 
>> Finally, you need a static route telling your 192.168.1.0/24 network
>> that the 192.168.2.0/24 network is via 192.168.1.nn (the AstLinux box
>> external IP).  Note that this route is not for AstLinux, but rather for
>> the 192.168.1.0/24 router or a specific 192.168.1.0/24 device.
>> 
>> I may have missed something, not tested, but just might work :-)
>> 
>> Be sure to do a "ip r" on AstLinux to make sure all the routes exist
>> you expect.
>> 
>> Lonnie
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ------------------------------
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to