Hi, let me try to give you more information about this topic.
We have a private network on node Spain2 with address 192.168.148.0/27.
The other private network on node Trento has address 192.168.149.0/27.
On the Spain2’s node we have an instance of OPENVPN server, on the machine
called proxy with address 192.168.148.5.
On the Trento’s node there’s an instance of OPENVPN client, on the machine
called ecogriddy_proxy with address 192.168.149.12.
VPN tunnels is working well, from the machine with OPEN VPN SERVER (SPAIN
NODE) we can ping (or make http request) every machine on the Trento’s
network (and viceversa).
IP forwarding is enabled on OPENVPN server and OPENVPN client, the machines
that actually do the forward between tun0, eth0 and other machines.
On every host on Spain, static routes are defined to drive all the trafic
destined to Trento (192.168.149.0/27.) through the gateway 192.168.148.5.
On every host on trento, static routes are defined to drive all the trafic
destined to Spain (192.168.148.0/27 <http://192.168.149.0/27>.) through the
gateway 192.168.149.12
On the OpenVPN’s server and client there’s two iptables’s rules for
masquerading traffic.
ON SPAIN OPENVPN SERVER
Chain POSTROUTING (policy ACCEPT 681 packets, 47057 bytes)
pkts bytes target prot opt in out source
destination
19 1548 MASQUERADE all – any eth0 10.8.0.0/24
anywhere
9 756 MASQUERADE all – any eth0 192.168.149.0/27
anywhere
ON TRENTO OPENVPN CLIENT
41 3132 MASQUERADE all – any eth0 10.8.0.0/24
anywhere
10 840 MASQUERADE all – any eth0 192.168.148.0/27
anywhere
Every machine has a static route to address the remote network.
Now let’s go with an real example:
from machine 192.168.148.10 try to ping Trento’s openvpn client (the
endpoint of tunnel) 192.168.149.12
if I sniff the traffic on Spain’s open vpn server (192.168.148.5) I see
icmp echo request and reply, like this (ns1.spain.ecogriddy.com is
192.168.148.10, host on spain network).
16:09:08.515088 IP ns1.spain.ecogriddy.com > 192.168.149.12: ICMP echo
request, id 2327, seq 81, length 64
16:09:08.592832 IP 192.168.149.12 > ns1.spain.ecogriddy.com: ICMP echo
reply, id 2327, seq 81, length 64
16:09:09.523047 IP ns1.spain.ecogriddy.com > 192.168.149.12: ICMP echo
request, id 2327, seq 82, length 64
16:09:09.598805 IP 192.168.149.12 > ns1.spain.ecogriddy.com: ICMP echo
reply, id 2327, seq 82, length 64
16:09:10.531014 IP ns1.spain.ecogriddy.com > 192.168.149.12: ICMP echo
request, id 2327, seq 83, length 64
16:09:10.607809 IP 192.168.149.12 > ns1.spain.ecogriddy.com: ICMP echo
reply, id 2327, seq 83, length 64
Obviously, if I sniff tun0 i see the same messages, so I know tunnel is
working, forwarding to remote client is working, forwarding between
interfaces is working both side of the tunnel.
What happened is that the replies of the packets is not delivered to the
host who made the request by his openvpn’s endpoint.
We think that the replies, sent by the host who I called with the ping,
once arrived on the other side’s endpoint, are masked with the address of
the vpn server and therefore no longer be recognized by those who made the
initial request. If we *remove *the masquerading, packets have *source
address of the other network* and are no longer delivered.
Hope it helps.
Thanks in advance for your efforts.
Sincerely,
–
Luca Silvestri - Founder & CEO @ Ecogriddy
–
Luca Silvestri - Founder & CEO @ Ecogriddy
Hi, let me try to give you more information about this topic.
We have a private network on node Spain2 with address 192.168.148.0/27.
The other private network on node Trento has address 192.168.149.0/27.
On the Spain2’s node we have an instance of OPENVPN server, on the machine
called proxy with address 192.168.148.5.
On the Trento’s node there’s an instance of OPENVPN client, on the machine
called ecogriddy_proxy with address 192.168.149.12.
VPN tunnels is working well, from the machine with OPEN VPN SERVER (SPAIN
NODE) we can ping (or make http request) every machine on the Trento’s
network (and viceversa).
IP forwarding is enabled on OPENVPN server and OPENVPN client, the machines
that actually do the forward between tun0, eth0 and other machines.
On every host on Spain, static routes are defined to drive all the trafic
destined to Trento (192.168.149.0/27.) through the gateway 192.168.148.5.
On every host on trento, static routes are defined to drive all the trafic
destined to Spain (192.168.148.0/27 <http://192.168.149.0/27>.) through the
gateway 192.168.149.12
On the OpenVPN’s server and client there’s two iptables’s rules for
masquerading traffic.
ON SPAIN OPENVPN SERVER
Chain POSTROUTING (policy ACCEPT 681 packets, 47057 bytes)
pkts bytes target prot opt in out source
destination
19 1548 MASQUERADE all – any eth0 10.8.0.0/24
anywhere
9 756 MASQUERADE all – any eth0 192.168.149.0/27
anywhere
ON TRENTO OPENVPN CLIENT
41 3132 MASQUERADE all – any eth0 10.8.0.0/24
anywhere
10 840 MASQUERADE all – any eth0 192.168.148.0/27
anywhere
Every machine has a static route to address the remote network.
Now let’s go with an real example:
from machine 192.168.148.10 try to ping Trento’s openvpn client (the
endpoint of tunnel) 192.168.149.12
if I sniff the traffic on Spain’s open vpn server (192.168.148.5) I see
icmp echo request and reply, like this (ns1.spain.ecogriddy.com is
192.168.148.10, host on spain network).
16:09:08.515088 IP ns1.spain.ecogriddy.com > 192.168.149.12: ICMP echo
request, id 2327, seq 81, length 64
16:09:08.592832 IP 192.168.149.12 > ns1.spain.ecogriddy.com: ICMP echo
reply, id 2327, seq 81, length 64
16:09:09.523047 IP ns1.spain.ecogriddy.com > 192.168.149.12: ICMP echo
request, id 2327, seq 82, length 64
16:09:09.598805 IP 192.168.149.12 > ns1.spain.ecogriddy.com: ICMP echo
reply, id 2327, seq 82, length 64
16:09:10.531014 IP ns1.spain.ecogriddy.com > 192.168.149.12: ICMP echo
request, id 2327, seq 83, length 64
16:09:10.607809 IP 192.168.149.12 > ns1.spain.ecogriddy.com: ICMP echo
reply, id 2327, seq 83, length 64
Obviously, if I sniff tun0 i see the same messages, so I know tunnel is
working, forwarding to remote client is working, forwarding between
interfaces is working both side of the tunnel.
What happened is that the replies of the packets is not delivered to the
host who made the request by his openvpn’s endpoint.
We think that the replies, sent by the host who I called with the ping,
once arrived on the other side’s endpoint, are masked with the address of
the vpn server and therefore no longer be recognized by those who made the
initial request. If we *remove *the masquerading, packets have *source
address of the other network* and are no longer delivered.
Hope it helps.
Thanks in advance for your efforts.
Sincerely,
–
Luca Silvestri - Founder & CEO @ Ecogriddy
–
Luca Silvestri - Founder & CEO @ Ecogriddy