Hello, I'm having troubles with a DNAT rule to forward traffic (in this case TCP port 80) across an OpenVPN tunnel. I believe the problem might be routing but I'm not quite sure - I hope i'm giving enough detail.
My Setup: Server (Linux - Shorewall, OpenVPN) External IP: 216.223.xxx.12 (eth0) OpenVPN Server: 172.20.15.1 (tun0) Client (Linux - Shorewall, OpenVPN) External IP: 152.222.xxx.91 (eth0) OpenVPN (client IP): 172.20.15.6 (tun1) Local IP (firewall internal interface):10.1.1.1 (eth1) What works: - The client connects to the server and using the iroute directive in OpenVPN, if I SSH to the server I can 'reach' any clients on the subnet of the client. EX: I can ping workstations on the 10.1.1.0/24 network, or RDP. - I can 'reach' the server from the local subnet - traffic in both directions works as expected - Shorewall is configured as expected and everything works except the port forwarding rule described below What doesn't work: - packets seem to be dropped to a server on the client subnet (server IP: 10.1.1.99) when I use a DNAT rule to port forward TCP port 80 traffic. I should be clear that when I implement the following DNAT rule packets reach the destination (10.1.1.99) - I can see them using the debug or info LOG directives in shorewall. I suppose it sort of 'half works'. However, when I run netstat -na on that server, I see multiple SYN_RECV entries and none which are ESTABLISHED. Eventually the connection fails/times out (I am testing externally as I'm clear that this cannot be tested on an internal system): ON the Server: (rule) DNATnetvpn:10.1.1.99tcp 80 -216.223.xxx.12 To dig a bit deeper I ran TCPDUMP on 10.1.1.99 and opened the results in Wireshark to see what was happening. It appears that packets reach the server, but are either dropped (without a SYN-ACK) or are going out the gateway of the client (152.222.xxx.91) instead of traversing the vpn tunnel back to the server and out that gateway. I'm not sure of that last sentence, but I think the latter of the two is correct. I have deployed Mr. Eastep's suggestion for split internal/external DNS so clients can reach the destination server from the local subnet. Everything is working as expected except for this translation across the VPN. I hope I've given enough information - it's the first time I've asked a question; I also hope the format in which I've asked is sufficent. Thank you kindly for your time. Mike ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
