I am trying to configure OpenVPN Access Server to route certain traffic through an IPSec tunnel established on the OpenVPN server. These are the addressing details:
- OpenVPN client IP range:
10.0.1.0/24
- OpenVPN server IP (where clients connect to):
x.x.x.x
- IPSec tunnel peer:
y.y.y.y
- IPSec tunnel subnets:
(x.x.x.x) 10.0.1.0/24 <--> 172.30.239.0/25 (y.y.y.y)
The expected behavior from the point of the OpenVPN client is this:
curl 172.30.239.75
-> traffic will go from the client to the OpenVPN server, be routed through the IPSec tunnel, and end up in the172.30.239.0/25
networkcurl google.com
-> traffic will go from the client to the OpenVPN server and to the public internet through its default gateway (not using the IPSec tunnel at all)
I thought this configuration would "just work", since the OpenVPN clients get their IP addresses assigned from the same subnet as the IPSec tunnel, but sadly that is not the case.
I am able to reach the far IPSec subnet directly from the OpenVPN server with e.g. curl 172.30.239.75
, so the tunnel and some routing is working. But running the same request from an OpenVPN client just times out (tcpdump
shows that the request arrives at the OpenVPN server but it ends there).
I am completely lost at what I should try next. Could you help me out? I am pretty new to this so detailed answers would be really appreciated! This question is related to this one I made earlier but that did not have enough details for the actual implementation.
Below I tried to collect relevant configuration but if there is anything else that would be important, please let me know.
I have not added any custom interfaces, routes nor iptables rules. All those that I tried either didn't have any effect or messed something up, so the output below is what was configured by OpenVPN and IPSec.
Interfaces
$ ifconfig (truncated)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.1.1 netmask 255.255.255.128 destination 10.0.1.1
as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.1.129 netmask 255.255.255.128 destination 10.0.1.129
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet x.x.x.x netmask 255.255.252.0 broadcast x.x.x.x
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.7.177 netmask 255.255.252.0 broadcast 10.1.7.255
Routing
The [gw.gw.gw.gw]
below is the IP address of the default gateway of the eth0 iface
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 10.1.4.1 255.0.0.0 UG 0 0 0 eth1
10.0.1.0 0.0.0.0 255.255.255.128 U 0 0 0 as0t0
10.0.1.128 0.0.0.0 255.255.255.128 U 0 0 0 as0t1
10.1.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
169.254.169.254 10.1.4.1 255.255.255.255 UGH 0 0 0 eth1
x.x.x.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
$ ip route list table all
172.30.239.0/25 via [gw.gw.gw.gw] dev eth0 table 220 proto static src 10.0.1.1
default via [gw.gw.gw.gw] dev eth0
10.0.1.0/25 dev as0t0 proto kernel scope link src 10.0.1.1
10.0.1.128/25 dev as0t1 proto kernel scope link src 10.0.1.129
x.x.x.0/22 dev eth0 proto kernel scope link src x.x.x.x
broadcast 10.0.1.0 dev as0t0 table local proto kernel scope link src 10.0.1.1
local 10.0.1.1 dev as0t0 table local proto kernel scope host src 10.0.1.1
broadcast 10.0.1.127 dev as0t0 table local proto kernel scope link src 10.0.1.1
broadcast 10.0.1.128 dev as0t1 table local proto kernel scope link src 10.0.1.129
local 10.0.1.129 dev as0t1 table local proto kernel scope host src 10.0.1.129
broadcast 10.0.1.255 dev as0t1 table local proto kernel scope link src 10.0.1.129
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast x.x.x.0 dev eth0 table local proto kernel scope link src x.x.x.x
local x.x.x.x dev eth0 table local proto kernel scope host src x.x.x.x
broadcast 185.26.51.255 dev eth0 table local proto kernel scope link src x.x.x.x
iptables
iptables-save
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*nat
:PREROUTING ACCEPT [655:63952]
:INPUT ACCEPT [82:5300]
:OUTPUT ACCEPT [72:5613]
:POSTROUTING ACCEPT [72:5613]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_NAT -o eth0 -j SNAT --to-source x.x.x.x
-A AS0_NAT -o eth1 -j SNAT --to-source 10.1.7.177
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 10.0.1.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Thu May 27 23:20:08 2021
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*mangle
:PREROUTING ACCEPT [48:3312]
:INPUT ACCEPT [19672:4609821]
:FORWARD ACCEPT [32480:9628950]
:OUTPUT ACCEPT [18602:11259270]
:POSTROUTING ACCEPT [51071:20887532]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Thu May 27 23:20:08 2021
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*filter
:INPUT ACCEPT [12:660]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18526:11256230]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.1.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 10.0.1.0/24 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -s 10.0.1.0/24 -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Thu May 27 23:20:08 2021
I also tried not having the OpenVPN client IP subnet and IPSec tunnel subnet overlap, but I could not figure out a way to set up the routing in this case either. That setup is definitely an option though, if that way would be better.
The solution was really simple in the end and could be done purely from the OpenVPN AS Web UI.
All that I had to do was
VPN Settings > Routing
Should VPN clients have access to private subnets (non-public networks on the server side)?
toYes, using routing
172.30.239.0/25
). This is important. I have been previously filling in the local subnet of the tunnel (10.0.1.0/24
), which is incorrect.After this the OpenVPN AS generated the following
iptables
rules (picked just the ones related to the subnet):And things work.