Re: [Shorewall-users] R: DNAT on openvpn client over OPENWRT

Thu, 27 Jul 2017 09:03:57 -0700 

On 07/27/2017 07:07 AM, Ivan wrote:

> Hello all,
> 
> I have an Debian server with shorewall (version 4.6.4.3), on the same
> server is installed an OpenVPN Server, on remote site I have a
> LEDE/OpenWRT router with an OpenVPN Client connected to previous server.
> 
> This is my network:
> 
> Office with Debian Server
> 
>  1. Eth0: internal network with address 192.168.1.1 (subnet 192.168.1.0/24)
>  2. Eth1: external network with address 192.168.0.2 connected to
>     provider router;
>  3. Tun0: OpenVPN Network with subnet 192.168.250.0/24
> 
> Home with LEDE/OpenWRT Router
> 
>  1. The router is connected to internet through an LTE USB key;
>  2. On the router is running OpenVN Client connected to server with IP
>     Address: 192.168.250.122
>  3. The internal network have the subnet 192.168.0.0/24
> 
>  
> 
> I need to expose a my home internal Web Server host (running on address
> 192.168.0.4) through my Office internet network.
> 
> I configured Shorewall, OpenWRT and OpenVPN to do it and I’m able to
> reach the server from I internal office network connecting to OpenVPN
> client IP (192.168.250.122), but I’m not able to reach the web server
> from internet following this route:
> 
>  
> 
> Internet -> external office IP Address -> 192.168.0.2 -> 192.168.1.1 ->
> 192.168.250.122 -> 192.168.0.4
> 
>  
> 
> I believe that the issue is related to a wrong MASQ/SNAT configuration,
> because into OpenWRT router logs I saw the request but the Source IP
> Address is the original one instead of the office IP Address, is it true?
> 
> I which way should I configure masquerade to solve this issue?
> 

Sounds like, on the Office "Server" (which isn't really a server - it's
a gateway/router), you need this masq entry:

tun0    !192.168.1.0/24

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to