Hello, Thank you so much for your reply. You said "The rules seem to assume that Internet traffic *will* go out $IF_MAIN and not enp0s3.", Why enp0s3? I created a virtual NIC (enp0s3:0) and I want my traffic go through it. Am I wrong?
And: # cat /proc/sys/net/ipv4/conf/all/forwarding 1 # # cat /proc/sys/net/ipv4/conf/*/rp_filter 0 0 0 0 0 0 0 Unfortunately, I do not have "/var/log/kern.log" file!!! On the client routing tables are: https://pastebin.mozilla.org/QEVppj9X What is your opinion? On Tuesday, July 25, 2023 at 12:41:23 PM GMT+3:30, Jochen Bern <jochen.b...@binect.de> wrote: On 25.07.23 09:54, Jason Long via Openvpn-users wrote: > enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 > enp0s3:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 10.0.5.20 netmask 255.255.255.0 broadcast 10.0.5.255 ... so you have several distinct subnets attached to the same physical interface ... > I added these iptables rules: > > > # IF_MAIN=enp0s3:0 > # IF_TUNNEL=tun2 > # YOUR_OPENVPN_SUBNET=10.10.0.0/16 > # iptables -I INPUT -p udp --dport 1196 -j ACCEPT > # iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state > ESTABLISHED,RELATED -j ACCEPT > # iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT > # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j > MASQUERADE > # iptables -A FORWARD -i enp0s8 -o enp0s3:0 -m state --state > ESTABLISHED,RELATED -j ACCEPT > # iptables -A FORWARD -i enp0s3:0 -o enp0s8 -j ACCEPT > # iptables -A FORWARD -j LOG > # iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE I don't see a FORWARD rule specifically permitting clients' traffic to the Internet (-i $IF_TUNNEL -o $IF_MAIN), but then again, we don't see the FORWARD chain's policy, either. The rules seem to assume that Internet traffic *will* go out $IF_MAIN and not enp0s3. Please verify that (been a while since I had a similar setup, so I'm not sure whether you'd have to look at the server's routing table(s) or something else ...). Is the server willing to do forwarding *at all* on the relevant interface(s) (e.g., 'echo 1 >/proc/sys/net/ipv4/conf/all/forwarding')? > C:\>ping 8.8.8.8 > > Pinging 8.8.8.8 with 32 bytes of data: > Request timed out. > Request timed out. > Request timed out. > Request timed out. > > > Ping statistics for 8.8.8.8: > Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), So, what does your "-j LOG" in the FORWARD chain have to say about the fate of the ECHO REQUEST packets? What is your reverse path filtering set to (/proc/sys/net/ipv4/conf/*/rp_filter), any hint in the syslogs that "martians" got discarded (before ever being treated by iptables)? Are you familiar enough with tcpdump or Wireshark to go hunt for what packets go where during the pinging? ... oh, I almost forgot: What does the client have to say about its routing table, once the VPN is up? Do the ECHO REQUESTs actually ever go through the VPN in the first place? Kind regards, -- Jochen Bern Systemingenieur Binect GmbH _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
