Skip to content

Instantly share code, notes, and snippets.

@oc

oc/00

Last active August 29, 2015 14:05
Show Gist options
  • Save oc/6db46ea473141b12f689 to your computer and use it in GitHub Desktop.
Save oc/6db46ea473141b12f689 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
00
Server
Public IP: 1.2.3.150 (eth0)
LAN: 10.0.0.150 (eth1)
MGMT: 10.2.2.150 (eth1:1)
tun0: 10.9.8.1
Problem: doesn't route traffic (iptables foo)
Raw
client (osx)
$ cat cli.conf
remote 1.2.3.150
dev tun
ifconfig 10.9.8.2 10.9.8.1
secret static.key
$ ifconfig utun0
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.9.8.2 --> 10.9.8.1 netmask 0xffffffff
###
### Able to ping the server over the tunnel:
###
$ ping -c3 10.9.8.1
PING 10.9.8.1 (10.9.8.1): 56 data bytes
64 bytes from 10.9.8.1: icmp_seq=0 ttl=64 time=1.692 ms
64 bytes from 10.9.8.1: icmp_seq=1 ttl=64 time=2.004 ms
64 bytes from 10.9.8.1: icmp_seq=2 ttl=64 time=1.717 ms
--- 10.9.8.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.692/1.804/2.004/0.142 ms
$ route get 10.2.2.136
route to: 10.2.2.136
destination: 10.2.2.128
mask: 255.255.255.128
gateway: 10.9.8.1
interface: utun0
flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 1500 0
###
### Able to ping the server on its lan if (eth1)
###
$ ping -c 1 10.0.0.150
PING 10.0.0.150 (10.0.0.150): 56 data bytes
64 bytes from 10.0.0.150: icmp_seq=0 ttl=64 time=2.523 ms
--- 10.0.0.150 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.523/2.523/2.523/0.000 ms
###
### Able to ping the MGMT if (eth1:1)
###
$ ping -c 1 10.2.2.150
PING 10.2.2.150 (10.2.2.150): 56 data bytes
64 bytes from 10.2.2.150: icmp_seq=0 ttl=64 time=2.523 ms
--- 10.2.2.150 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.523/2.523/2.523/0.000 ms
###
### !!!!!!!!!!! Unable to ping the target server
###
$ ping -c 1 10.2.2.136
PING 10.2.2.136 (10.2.2.136): 56 data bytes
--- 10.2.2.136 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
Raw
server
vpn-gw # cat /etc/openvpn/server.conf
dev tun
ifconfig 10.9.8.1 10.9.8.2
secret /etc/openvpn/static.key
log-append /var/log/openvpn.log
vpn-gw # ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:1c:d3:38
inet addr:1.2.3.150 Bcast:1.2.3.255 Mask:255.255.255.128
inet6 addr: xxxxx/64 Scope:Global
inet6 addr: xxxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21185480 errors:0 dropped:1823 overruns:0 frame:0
TX packets:8832792 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7297081040 (6.7 GiB) TX bytes:1048387837 (999.8 MiB)
eth1 Link encap:Ethernet HWaddr 00:50:56:83:8c:b3
inet addr:10.0.0.150 Bcast:10.0.206.255 Mask:255.255.255.128
inet6 addr: xxxx/64 Scope:Global
inet6 addr: xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12962537 errors:0 dropped:1823 overruns:0 frame:0
TX packets:6461804 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2225301454 (2.0 GiB) TX bytes:5005574628 (4.6 GiB)
eth1:1 Link encap:Ethernet HWaddr 00:50:56:83:8c:b3
inet addr:10.2.2.150 Bcast:10.2.2.255 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2582065 errors:0 dropped:0 overruns:0 frame:0
TX packets:2582065 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:448139488 (427.3 MiB) TX bytes:448139488 (427.3 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.9.8.1 P-t-P:10.9.8.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:160 errors:0 dropped:0 overruns:0 frame:0
TX packets:81 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:14925 (14.5 KiB) TX bytes:10587 (10.3 KiB)
vpn-gw # cat /proc/sys/net/ipv4/ip_forward
1
vpn-gw # iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -s 4.3.2.1/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1:1 -o eth0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth1:1 -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
###
### Able to ping the client over the VPN tun
###
vpn-gw# ping -c1 10.9.8.2
PING 10.9.8.2 (10.9.8.2) 56(84) bytes of data.
64 bytes from 10.9.8.2: icmp_req=1 ttl=64 time=1.60 ms
--- 10.9.8.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.607/1.607/1.607/0.000 ms
###
### Able to ping the target server
###
vpn-gw # ping -c1 10.2.2.136
PING 10.2.2.136 (10.2.2.136) 56(84) bytes of data.
64 bytes from 10.2.2.136: icmp_req=1 ttl=64 time=0.232 ms
--- 10.2.2.136 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.232/0.232/0.232/0.000 ms
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment