Tweet
iptables nat network access local and remote
hi all,
this is how my VPN network used to look (all working). Trying to set it up again, here my master drawing (dotted line is the internet, the potato shaped circles represent local networks in different geographic locations with own ISPs that connect to the Internet via their respective "Modem Router MRx"
Box: Modem/Router MR1
WAN is fiber (fiber goes in house), Public dynamic IPv4 (not shared, no ipv6) linked to domain poopeyhead.org
Modem/Router local LAN IP: 10.133.133.254/24
Local LAN: 10.133.133.0/24
DNS that local LAN clients use: 10.133.133.254/24 and some use PI-hole DNS on 10.133.133.6/24
OpenVPN Server is running in this local LAN on 10.133.133.3/24
PI-hole is running in this local LAN on 10.133.133.6/24 (no DHCP enabled)
Box: Modem/Router MR2
WAN is ADSL, (crappy old phone line goes in house), Public dynamic IP (SHARED, so no dedicted WAN IP, no ipv6) linked to no domain/ddns service
Modem/Router local LAN IP: 10.0.0.1/24
Local LAN: 10.0.0.0/24
DNS that local LAN clients use: 10.0.0.1/24
Box: Modem/Router MR3
WAN is fiber (fiber goes in house), Public dynamic IP (not shared, ipv6 disabled) linked to no domain/ddns service
Modem/Router local LAN IP: 192.168.2.1/24
Local LAN: 192.168.2.0/24
DNS that local LAN clients use: 192.168.2.1/24
Box: Mobile 1
WAN: Mobile Phone Internet via SIM, i think these are also Public dynamic shared IPs, don't have it linked to any domain or ddns service
Basically i just have android and iOS smartphones on which I have OpenVPN clients installed and loaded the profiles for my OpenVPN server and connect using the phone internet.
Box: Mobile 2 wifi hotspot from own smartphone or public wifi's
This is in essence the same as Mobile 1 with the hotspot function of the smartphone activated, meaning e.g. my laptop wifi connects to smartphone wifi to use its internet to access the internet.
It should also cover when e.g. I'm using the free or paid wifi of a hotel/restaurant airport with my laptop or mobile phone and want to establish a vpn connection from my device directly.
Info on the OpenVPN Server in main Box: Modem/Router MR1
OpenVPN server is running on Arch Linux on 10.133.133.3/24, port 33420 (modem/router at 10.133.133.254/24 is forwarding that port to this machine and UDP protocol).
I have 3 network devices:
enp7s0 is configured to be 10.133.133.3/24, gw 10.133.133.254, dns 10.133.133.6
enp11s0 is configured to be 10.133.133.4/24, gw 10.133.133.254, dns 10.133.133.6
enp12s0 is configured to be 10.133.133.5/24, gw 10.133.133.254, dns 10.133.133.6
OpenVPN version 2.6.10
OpenSSL 3.3.0
Linux 6.6.31-1-lts
relevant bits from my vpn server.conf:
Openvpn clients connect using a profile. All clients on the VPN network are configured to have static openvpn IPs via the entries in CCD directory on the openvpn server, sample client20.conf from PC on Box: Modem/Router MR3:
CCD directory file entry on server: /etc/openvpn/ccd/client20
All Modems/Routers are fairly simple, ISP provided (so not much to configure) can configure simple things like port forwarding, dhcp server, local lan range etc. but nothing beyond that. The firewall and such things are turned off for now to get things properly working. All 3 Modem/routers from the picture have dhcp server running for their respective local LAN with the Modem/Router IP as DNS and Gateway, but most machines on any of my local lan are configured to have static IPs on the local LAN, configured to use the respective Modem/Router IP as DNS and Gateway.
The OpenVPN server should route all traffic of clients through it, so the WAN ip of any client should be the WAN IP of the OpenVPN server.
The local server LAN 10.133.133.0/24 needs to be reachable to all VPN clients.
The local LANs of any VPN client should be reachable to all VPN clients, so VPN clients also need to be able to reach each other.
All clients should use ideally the pi-hole dns server on 10.133.133.6/24 but i think that might lead to dns leaks? if so then i would want all clients to use the other dns server 10.133.133.254/24
The PI-hole and some PCs on the local LAN of 10.133.133.0/24 are also openvpn clients with own profiles that connect to the openvpn-server at 10.133.133.3/24, for these I do not use the domain in the vpn client configs but the internal LAN ip 10.133.133.3 to reach the vpn server.
I'm able to establish the vpn connection from the different clients, I also manage to ping clients on 10.8.0.0/24 but dns resolution seems to not work (I'm trying with pi-hole dns pushing and also tried the modem/router ip) but I do not seem to be able to reach those IPs from clients when connected (ping fails, nslookup fails of course too because cannot reach any dns server).
It would like to have a simple iptables (not using anything else) to have the routing and accessing of networks working, ideally specific to interface enp7s0, I read a lot and tried a lot but it is a topic difficult for me to understand and just copy/pasting rules and trying stuff is driving me mad, any help appreciated
this is how my VPN network used to look (all working). Trying to set it up again, here my master drawing (dotted line is the internet, the potato shaped circles represent local networks in different geographic locations with own ISPs that connect to the Internet via their respective "Modem Router MRx"
Box: Modem/Router MR1
WAN is fiber (fiber goes in house), Public dynamic IPv4 (not shared, no ipv6) linked to domain poopeyhead.org
Modem/Router local LAN IP: 10.133.133.254/24
Local LAN: 10.133.133.0/24
DNS that local LAN clients use: 10.133.133.254/24 and some use PI-hole DNS on 10.133.133.6/24
OpenVPN Server is running in this local LAN on 10.133.133.3/24
PI-hole is running in this local LAN on 10.133.133.6/24 (no DHCP enabled)
Box: Modem/Router MR2
WAN is ADSL, (crappy old phone line goes in house), Public dynamic IP (SHARED, so no dedicted WAN IP, no ipv6) linked to no domain/ddns service
Modem/Router local LAN IP: 10.0.0.1/24
Local LAN: 10.0.0.0/24
DNS that local LAN clients use: 10.0.0.1/24
Box: Modem/Router MR3
WAN is fiber (fiber goes in house), Public dynamic IP (not shared, ipv6 disabled) linked to no domain/ddns service
Modem/Router local LAN IP: 192.168.2.1/24
Local LAN: 192.168.2.0/24
DNS that local LAN clients use: 192.168.2.1/24
Box: Mobile 1
WAN: Mobile Phone Internet via SIM, i think these are also Public dynamic shared IPs, don't have it linked to any domain or ddns service
Basically i just have android and iOS smartphones on which I have OpenVPN clients installed and loaded the profiles for my OpenVPN server and connect using the phone internet.
Box: Mobile 2 wifi hotspot from own smartphone or public wifi's
This is in essence the same as Mobile 1 with the hotspot function of the smartphone activated, meaning e.g. my laptop wifi connects to smartphone wifi to use its internet to access the internet.
It should also cover when e.g. I'm using the free or paid wifi of a hotel/restaurant airport with my laptop or mobile phone and want to establish a vpn connection from my device directly.
Info on the OpenVPN Server in main Box: Modem/Router MR1
OpenVPN server is running on Arch Linux on 10.133.133.3/24, port 33420 (modem/router at 10.133.133.254/24 is forwarding that port to this machine and UDP protocol).
I have 3 network devices:
enp7s0 is configured to be 10.133.133.3/24, gw 10.133.133.254, dns 10.133.133.6
enp11s0 is configured to be 10.133.133.4/24, gw 10.133.133.254, dns 10.133.133.6
enp12s0 is configured to be 10.133.133.5/24, gw 10.133.133.254, dns 10.133.133.6
OpenVPN version 2.6.10
OpenSSL 3.3.0
Linux 6.6.31-1-lts
relevant bits from my vpn server.conf:
Code:
parts from config: dev tun0 port 33420 proto udp4 topology subnet server 10.8.0.0 255.255.255.0 #VPN server and clients will be on this ip range push "route 10.133.133.0 255.255.255.0" #share vpn server local lan with vpn clients push "route 10.8.0.0 255.255.255.0" #make vpn clients able to reach each other as if they were on local lan push "dhcp-option DNS 10.133.133.6" #make vpn clients use the pi-hole dns server setup on the local LAN of 10.133.133.0/24 push "redirect-gateway def1" #make all clients push their traffic through the VPN server so public IP of any VPN client should be the one of the poopyhead.org keepalive 10 120 persist-tun persist-key key direction 0 client-config-dir /etc/openvpn/ccd #this and next lines are so that client local LAN's are also shared and accessible across VPN clients/network route 10.0.0.0 255.255.255.0 route 192.168.2.0 255.255.255.0 client-to-client local 10.133.133.3
Openvpn clients connect using a profile. All clients on the VPN network are configured to have static openvpn IPs via the entries in CCD directory on the openvpn server, sample client20.conf from PC on Box: Modem/Router MR3:
Code:
client pull tls-client askpass /etc/openvpn/client/foobar.txt dev tun0 auth-nocache proto udp4 remote poopeyhead.org 32400 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server remote-cert-tls server key-direction 1
Code:
ifconfig-push 10.8.0.100 255.255.255.0 iroute 10.133.133.0 255.255.255.0
All Modems/Routers are fairly simple, ISP provided (so not much to configure) can configure simple things like port forwarding, dhcp server, local lan range etc. but nothing beyond that. The firewall and such things are turned off for now to get things properly working. All 3 Modem/routers from the picture have dhcp server running for their respective local LAN with the Modem/Router IP as DNS and Gateway, but most machines on any of my local lan are configured to have static IPs on the local LAN, configured to use the respective Modem/Router IP as DNS and Gateway.
The OpenVPN server should route all traffic of clients through it, so the WAN ip of any client should be the WAN IP of the OpenVPN server.
The local server LAN 10.133.133.0/24 needs to be reachable to all VPN clients.
The local LANs of any VPN client should be reachable to all VPN clients, so VPN clients also need to be able to reach each other.
All clients should use ideally the pi-hole dns server on 10.133.133.6/24 but i think that might lead to dns leaks? if so then i would want all clients to use the other dns server 10.133.133.254/24
The PI-hole and some PCs on the local LAN of 10.133.133.0/24 are also openvpn clients with own profiles that connect to the openvpn-server at 10.133.133.3/24, for these I do not use the domain in the vpn client configs but the internal LAN ip 10.133.133.3 to reach the vpn server.
I'm able to establish the vpn connection from the different clients, I also manage to ping clients on 10.8.0.0/24 but dns resolution seems to not work (I'm trying with pi-hole dns pushing and also tried the modem/router ip) but I do not seem to be able to reach those IPs from clients when connected (ping fails, nslookup fails of course too because cannot reach any dns server).
It would like to have a simple iptables (not using anything else) to have the routing and accessing of networks working, ideally specific to interface enp7s0, I read a lot and tried a lot but it is a topic difficult for me to understand and just copy/pasting rules and trying stuff is driving me mad, any help appreciated