Hi all!


We have a setup of three computers;
Machine A (eth0) -> Machine B (eth0, hso0, tun0) -> Machine C (eth0, tun0)

hso0 is the packet interface of a 3G modem, it behaves like a normal network interface.

Machine B and C are connected in a VPN using openVPN (TCP). Machine A is a client that receives Network-configuration using DHCP from Machine B automatically.

Machine A eth0 : DHCP
Machine B eth0 : 192.168.2.1
Machine B hso0 : Static IP addr, Internet use
Machine B tun0 : 10.11.0.10 (openVPN client)
Machine C eth0 : Static IP addr, Internet use
Machine C tun0 : 10.11.0.1 (openVPN server)

OpenVPN (server) is configured to allow Internet-traffic to its clients. Code in server.conf:
# Make sure clients traverse tun0 when accessing Internet
push "redirect-gateway def1"
# Push a DNS server (handled by openVPN)
push "dhcp-option DNS 10.11.0.1"

We’re having issues to make Machine C release Internet traffic from Machine A. Note that we have setup masquerading on Machine B using iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.
Currently Iptables on Machine B and Machine C have a policy of ACCEPT.

We have managed to make traffic from Machine A reach Machine C, but only with the internal IP of 192.168.2.48 (DHCP).
OpenVPN drops those packets (as it should!) because they come from 192.* and not 10.*

Is there a way to solve this? Thank you!

Before making NAT for -o eth0 you give
iptables -t nat -I POSTROUTING -p 50 -j ACCEPT
Here 50 is protocol number for ipsec-ESP
You may require to add similar iptable for --proto 51 i.e. ipsec-AH

Linux IPTables, Linux IPChains, BSD IPF and other packet filters do not prevent snort from seeing a packet that is present on the network wire. Even if an inbound packet is denied by the packet filter Snort will still see and analyze the packet if it is listening to that interface.

--------------------------------
Angelinjones


Get Website Traffic