Jump to content
Not connected, Your IP: 3.12.163.23
Sign in to follow this  
Sanctioner

Setup VPN Client in Fedora 28 Server Dual-Homed Bastion for rest of network to use

Recommended Posts

Hello,

 

I am having a difficult time trying to route any traffic through vpn, including on the local box.  The server is a dual-homed bastion host that separates the main router from everything else.  I am trying to allow the reset of my network to use the vpn tunnel without having to install vpn clients on all machines, some of which I lack permission or ability to do.

 

Fedora28 Server, cli only

 

nmcli output

br0: connected to Bridge br0
        "br0"
        bridge, 00:01:xx:xx:xx:xx, sw, mtu 1500
        ip4 default
        inet4 172.16.10.10/24
        inet6 fe80::201:2eff:fe80:416d/64

enp2s0: connected to enp2s0
        "Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller"
        ethernet (r8169), 00:01:2E:80:41:6D, hw, mtu 1500
        master br0

enp3s0: connected to enp3s0
        "Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller"
        ethernet (r8169), 00:01:2E:80:41:6E, hw, mtu 1500
        master br0

tun0: connected to tun0
        "tun0"
        tun, sw, mtu 1500
        inet4 10.5.0.94/16
        inet6 fe80::8c10:f423:4998:6ba9/64

wlp1s0: disconnected
        "Intel Wireless 3165 (Dual Band Wireless AC 3165)"
        wifi (iwlwifi), 46:2B:B5:D1:D6:65, hw, mtu 1500

lo: unmanaged
        "lo"
        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536

DNS configuration:
        servers: 10.4.0.1 10.5.0.1
        interface: br0

 

Routing Table

[xxx@xxx network-scripts]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.10.1     0.0.0.0         UG    425    0        0 br0
10.5.0.0        0.0.0.0         255.255.0.0     U     0      0        0 tun0
172.16.10.0     0.0.0.0         255.255.255.0   U     425    0        0 br0

 

AirVPN config

client
dev tun0
remote 64.120.44.138 443
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
route-delay 5
verb 3
auth-user-pass /etc/openvpn/client/airvpn.proxyauth
auth-nocache
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
proto tcp
key-direction 1
route-nopull

 

ifcfg-br0

[xxx@xxx network-scripts]# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
GATEWAY=172.16.10.1
IPADDR=172.16.10.10
NETMASK=255.255.255.0
DNS1=10.4.0.1
DNS2=10.5.0.1
ZONE=

 

Only other relevant thing I can think of is masking out firewalld and installing iptables-service.

 

I would like to be able to receive DNS Pushes also, but if that can't be done, i can use the static ones.

 

I've scoured the internet but everything I try either doesn't work or makes it worse, so I've reset things back to the above config.

 

How do I make any of this work?

 

-sanc

Share this post


Link to post

I'm not sure if I understand your setup correctly. Basically, you use the Fedora server as a router for your network? Couple of things about your AirVPN config:

 

auth-user-pass /etc/openvpn/client/airvpn.proxyauth

 

What is this line about? Where have you defined the keys/certtificates for AirVPN? What do OpenVPN logs say?

 

route-nopull

 

If you use that option, you need to set your routes manually. I think your routing table is not set up correctly as nowhere does it define OpenVPN via tun0 as gateway. Also, have you set forwarding rules to the tun0 interface?

Share this post


Link to post

Hi, thanks for the reply.

 

The server is currently not set up as a router on the network.  It is setup bridged only.  It is in between 2 routers and is currently only facilitating the passing of traffic.

 

openvpn logs are clean, no errors, and i am able to connect fine, just no traffic goes out on it.

 

the certificates are in the same file as the rest of the vpn config, i just left it out.  airvpn creates the file this like from its wizard and with the the user-auth-pass for the username/password file.  It does work though as I can currently connect.

 

I have set up forwarding rules in iptables but it had zero effect.

IPT="/sbin/iptables"
EXT_IF="enp2s0"
INT_IF="enp3s0"
BR1_IF="br0"
TUN1_IF="tun0"

INT_NET="172.16.10.0/24"
TUN1_IPS="173.234.159.194 64.120.44.138 104.243.24.235"

# Forward traffic to VPN
$IPT -I FORWARD -i ${BR1_IF} -o ${TUN1_IF} -j ACCEPT
$IPT -I FORWARD -i ${TUN1_IF} -o ${BR1_IF} -j ACCEPT
$IPT -t nat -A POSTROUTING -i ${INT_IF} -o ${TUN1_IF} -j MASQUERADE

$IPT -A INPUT  -i ${TUN1_IF} -m conntrack --ctstate ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${TUN1_IF} -j ACCEPT

if [[ ! -z ${TUN1_IPS} ]]; then
  for tn in ${TUN1_IPS}; do
    $IPT -A OUTPUT -o ${TUN1_IF} -d ${tn}/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  done
fi

 

but now that you mentioned routing, I removed the vpn route-nopull as you mentioned and noticed an error in one of the rules and changed it to this (thanks!)

$IPT -t nat -A POSTROUTING -s ${INT_NET} -o ${TUN1_IF} -j MASQUERADE

 

the routing table now says

[xxx@xxx ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.5.0.1        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         172.16.10.1     0.0.0.0         UG    425    0        0 br0
10.5.0.0        0.0.0.0         255.255.0.0     U     0      0        0 tun0
104.243.24.235  172.16.10.1     255.255.255.255 UGH   0      0        0 br0
128.0.0.0       10.5.0.1        128.0.0.0       UG    0      0        0 tun0
172.16.10.0     0.0.0.0         255.255.255.0   U     425    0        0 br0

 

And the server-initiated connections are now routing through the tunnel

traceroute to google.com (172.217.15.78), 30 hops max, 60 byte packets
 1  10.5.0.1 (10.5.0.1)  19.506 ms  41.710 ms  61.872 ms
 2  104.243.24.1 (104.243.24.1)  61.960 ms  61.912 ms  61.862 ms
 3  162.213.24.125 (162.213.24.125)  61.604 ms  61.560 ms  61.514 ms
 4  10ge12-2.core1.phl1.he.net (216.66.70.117)  61.566 ms  61.516 ms  61.465 ms
 5  10ge6-18.core1.nyc4.he.net (184.105.223.221)  61.400 ms  61.343 ms  61.295 ms
 6  core1-0-0-8.lga.net.google.com (198.32.118.39)  61.249 ms  28.652 ms  27.363 ms
 7  108.170.248.99 (108.170.248.99)  62.781 ms 108.170.248.20 (108.170.248.20)  62.845 ms 108.170.248.35 (108.170.248.35)  56.776 ms
 8  209.85.255.27 (209.85.255.27)  62.755 ms 216.239.58.121 (216.239.58.121)  62.665 ms 108.170.226.123 (108.170.226.123)  62.645 ms
 9  108.170.236.133 (108.170.236.133)  62.660 ms 108.177.3.53 (108.177.3.53)  76.653 ms 108.177.3.59 (108.177.3.59)  96.705 ms
10  216.239.50.96 (216.239.50.96)  62.590 ms 108.170.232.198 (108.170.232.198)  62.499 ms  62.481 ms
11  108.170.246.33 (108.170.246.33)  76.503 ms 108.170.246.65 (108.170.246.65)  62.422 ms  76.325 ms
12  209.85.251.83 (209.85.251.83)  69.452 ms 74.125.252.39 (74.125.252.39)  99.792 ms  34.229 ms
13  iad23s63-in-f14.1e100.net (172.217.15.78)  94.397 ms  94.416 ms  94.177 ms

 

However, the traffic passing through the server from behind it is not.  This is from a windows box a few nodes behind it.

C:\Users\xxx>tracert google.com

Tracing route to google.com [172.217.10.14]
over a maximum of 30 hops:

  1     3 ms    <1 ms    <1 ms  172.18.10.1
  2     1 ms    <1 ms    <1 ms  172.17.10.1
  3     2 ms     2 ms     2 ms  172.16.10.1
  4     3 ms     2 ms     2 ms  192.168.100.1
  5    59 ms    19 ms    10 ms  lo0-100.BSTNMA-VFTTP-303.verizon-gni.net [71.174.211.1]
  6    19 ms    11 ms    12 ms  B3303.BSTNMA-LCR-21.verizon-gni.net [100.41.216.156]
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9    16 ms    18 ms    16 ms  0.et-9-0-2.GW15.NYC1.ALTER.NET [140.222.1.43]
 10    20 ms    20 ms    18 ms  72.14.208.130
 11     *        *        *     Request timed out.
 12    17 ms    17 ms    17 ms  108.170.237.206
 13    18 ms    19 ms    19 ms  108.170.248.66
 14    19 ms    19 ms    19 ms  209.85.254.239
 15    15 ms    17 ms    16 ms  209.85.255.26
 16    19 ms    19 ms    19 ms  108.170.248.97
 17    16 ms    17 ms    16 ms  216.239.62.149
 18    16 ms    16 ms    17 ms  lga34s12-in-f14.1e100.net [172.217.10.14]

 

Thanks for getting me this far.

 

What might I be missing that it's only routing local/output connections and not forwarded connections?

 

thanks,

-sanc

Share this post


Link to post

This post comes up high on internet searches, so i'll just update it by saying that this was due to bridges operating at the link layer.  ebtables controls this, not iptables, but i think you can still pre-route the packets to jump it to the network layer and out the OUTPUT chain in iptables where it's easier to send it out to virtual interfaces.  i decided to get rid of the bridge and set it up as a router instead.  it is now easier to work with.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...