BrainEater

A little Cranky, Need Help With OpenVPN, Raspberry pi

10 posts in this topic

Posted (edited)

So I really need help, I though I had everything squared up and ready but I tried to connected externally this afternoon and found a large hole in my plan (a little cranky) . I have everything working great but external access to my OpenVPN server. For more information please read the below link 

https://forums.hak5.org/index.php?/topi ... vpn-build/

Long story short I need to access my server from outside the network. The setup is my open VPN server on a raspberry pi running raspbian which is on local ip 10.1.1.101 and I run all of its traffic through another raspberry pi configured as a gateway with the ip of 10.1.1.102 then out to the Internet. Everything is working great internally I just need to know what I have to do to access it external. The default gateway for the gateway pi is 10.1.1.1
 
Edited by BrainEater
0

Share this post


Link to post
Share on other sites

Is it not possible to port forward your router to the openvpn pi server?

0

Share this post


Link to post
Share on other sites

I have done that, that's how I had it working external before I changed the gateway to run it through the second vpn. But I believe there is an issue with port forward the server because the gateway is on another server again so the traffic passes through another server, another gateway (the one I changed it to) , a different port and then finally to the PiVPN server. So the port can't be forwarded to the PiVPN server as that's no technical where the traffic is. I need a way to have the client respond back through the current gateway then to the PiVPN server.  Or for some bright spark to come up with an idea I haven't though of. Loads of smart minds on this forum. 

0

Share this post


Link to post
Share on other sites

I have a feeling I need to do something like this. 

# Create an alternate routing table
echo "1 NOVPN" >> /etc/iproute2/rt_tables

# Create the routes for this table
# Actually, you just want to set the default gateway
ip route add default via 192.168.1.1 dev eth0 table NOVPN

# Check results with
ip route show table NOVPN

# Now tell the kernel that this routing table should be used when 
# a packet waiting to be routed has a specific "mark"
ip rule add from all fwmark 0x1 lookup NOVPN

# Then mark all the required packets with the same mark use above
iptables -t mangle -I OUTPUT -p tcp --sport 22 -j MARK --set-mark 1 
iptables -t mangle -I OUTPUT -p tcp --sport 80 -j MARK --set-mark 1 

Does this look like something I need to try? Don't what to start Messing with ip tables if it is unnecessary.

0

Share this post


Link to post
Share on other sites

Posted (edited)

Having a bit of trouble understanding your setup, these pictures are what I'm envisioning your setup currently is, and what your trying to do with external access:

 

02.png

01.png

Is that correct or am I wrong?

Edited by kdodge
0

Share this post


Link to post
Share on other sites

Yeah mate that's it, the only other thing is there is another computer on my LAN between the openvpn server and the Nord server as a Nord client. Sorry if I didn't explain myself to well. 

0

Share this post


Link to post
Share on other sites

ok, i think understand now. Sounds like you might need to somehow masquerade the external packets so that they look like they are on 10.1.1.0/24, in order for th pi server to see them.

Understand, that I don't have your exact setup to test this (kinda trial by error), but my initial thought is this on the openvpn pi server:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp ! -d 10.1.1.0/24 -j DNAT --to-destination 10.1.1.101:1234
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 10.1.1.101 --sport 1234 -j MASQUERADE

(hopefully) would allow you to test this externally, with the openvpn pi server not using the router as the gateway.
$ while [ true ]; do echo 'hello world' | nc -l 1234; done
this is a simple network test for connectivity

I think you'll need DNAT+MASQUERADE or you'll need DNAT+SNAT, but I'm thinking the former. It might also be possible to bounce packets through the NordVPN server to the openvpn pi server but I think the easiest thing to do is work with the first one for now.

1

Share this post


Link to post
Share on other sites

Ok. So this is great I'm currently at work but when I get home I will try out those commands and see if the ip tables can fix my issue thanks so much mate. This has been bugging be for 3 days now and I'm scratching my head. 

 

0

Share this post


Link to post
Share on other sites

Posted (edited)

Hate to say ip tables didn't help :( I tried the above. 

 

Edited by BrainEater
0

Share this post


Link to post
Share on other sites

Ok, Hum. It's hard to see whats going on, especially cause you can't even pcap whats happening inside the pre/post part of the tables, you'll only see the output after the fact. I can think of 3 more things to try, might give more insight to whats going on.

1. run a pcap without any -t nat rules in place and no need to be listening with nc, and look at if/how packets are arriving at the openvpn pi server. Specifically make sure SMAC=router, DMAC=openvpn_pi, SIPADDR=remote ip from cafe wifi, DIPADDR=10.1.1.101. also look if it just drops the packet of if it returns a RST or ICMP stopping packet. I'm also kinda curious if it will try to leave via the gateway or not if it does.

2. Try with just the first iptables command above. I was thinking that you need a sending rule and a receiving rule, but maybe I was wrong.

3. Try with just the second iptables command above. same reason.

Like I said, I can't really test these myself, but I'm more then happy to shout out suggestions. Or if other people want to chime in that would be great too;)
It is possible the DNAT rule it too restrictive too, especially the ! part has given my trouble in the past.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.