Hello all, first post here on the forms... I am having an issue with my ufw rules on routing vpn traffic to/from my LAN. I followed the “OpenVPN from scratch” and changed the server.conf to allow LAN resource sharing over my tun0 connection. I included what I added in the server.conf file. If I disable the ufw service, I can successfully share my resources over my vpn connection. My issue is that, I lack the true ufw-fu... I have looked into the wild and found some iptables rules that look solid, but I do not yet have the experience to translate them into a usable ufw format... I want to learn and know this is platform.
———————MyConfigs———————
nano server.conf
dh2048.pem
dev tun
topology subnet
10.8.0.0 255.255.255.0
redirect-gateway
DNS
(change DNS addresses to google) 8.8.8.8 8.8.4.4
nobody (user and group)
push "route 192.168.1.0 255.255.255.0"
save
nano /etc/sysctl.conf
uncomment net.ipv4.ip_forward
save
ufw allow 1194/udp
nano /etc/default/ufw
change DEFAULT_FORWARD_POLICY="ACCEPT"
save
nano /etc/ufw/before.rules
add the follow toward the top:
*nat
:POSTROUTING ACCEPT [0.0]
-A POSTROUTING -s 10.8.0.0/8 -o ens33 -j MASQUERADE
COMMIT
save
ufw status
ufw enable
y
ufw status
https://m.youtube.com/watch?v=XcsQdtsCS1U&autoplay=1
———————MyConfigs———————
———————FromTheWild———————
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o eth1 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
iptables -I FORWARD -i eth0 -o eth1 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Notice that -I is used, so when listing it (iptables -vxnL) it
# will be reversed. This is intentional in this demonstration.
# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE
# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
———————FromTheWild———————