Jump to content

Recommended Posts

So I really need help, I though I had everything squared up and ready but I tried to connected externally this afternoon and found a large hole in my plan (a little cranky) . I have everything working great but external access to my OpenVPN server. For more information please read the below link 

https://forums.hak5.org/index.php?/topi ... vpn-build/

Long story short I need to access my server from outside the network. The setup is my open VPN server on a raspberry pi running raspbian which is on local ip and I run all of its traffic through another raspberry pi configured as a gateway with the ip of then out to the Internet. Everything is working great internally I just need to know what I have to do to access it external. The default gateway for the gateway pi is
Edited by BrainEater
Link to post
Share on other sites

I have done that, that's how I had it working external before I changed the gateway to run it through the second vpn. But I believe there is an issue with port forward the server because the gateway is on another server again so the traffic passes through another server, another gateway (the one I changed it to) , a different port and then finally to the PiVPN server. So the port can't be forwarded to the PiVPN server as that's no technical where the traffic is. I need a way to have the client respond back through the current gateway then to the PiVPN server.  Or for some bright spark to come up with an idea I haven't though of. Loads of smart minds on this forum. 

Link to post
Share on other sites

I have a feeling I need to do something like this. 

# Create an alternate routing table
echo "1 NOVPN" >> /etc/iproute2/rt_tables

# Create the routes for this table
# Actually, you just want to set the default gateway
ip route add default via dev eth0 table NOVPN

# Check results with
ip route show table NOVPN

# Now tell the kernel that this routing table should be used when 
# a packet waiting to be routed has a specific "mark"
ip rule add from all fwmark 0x1 lookup NOVPN

# Then mark all the required packets with the same mark use above
iptables -t mangle -I OUTPUT -p tcp --sport 22 -j MARK --set-mark 1 
iptables -t mangle -I OUTPUT -p tcp --sport 80 -j MARK --set-mark 1 

Does this look like something I need to try? Don't what to start Messing with ip tables if it is unnecessary.

Link to post
Share on other sites

Having a bit of trouble understanding your setup, these pictures are what I'm envisioning your setup currently is, and what your trying to do with external access:




Is that correct or am I wrong?

Edited by kdodge
Link to post
Share on other sites

Yeah mate that's it, the only other thing is there is another computer on my LAN between the openvpn server and the Nord server as a Nord client. Sorry if I didn't explain myself to well. 

Link to post
Share on other sites

ok, i think understand now. Sounds like you might need to somehow masquerade the external packets so that they look like they are on, in order for th pi server to see them.

Understand, that I don't have your exact setup to test this (kinda trial by error), but my initial thought is this on the openvpn pi server:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp ! -d -j DNAT --to-destination
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s --sport 1234 -j MASQUERADE

(hopefully) would allow you to test this externally, with the openvpn pi server not using the router as the gateway.
$ while [ true ]; do echo 'hello world' | nc -l 1234; done
this is a simple network test for connectivity

I think you'll need DNAT+MASQUERADE or you'll need DNAT+SNAT, but I'm thinking the former. It might also be possible to bounce packets through the NordVPN server to the openvpn pi server but I think the easiest thing to do is work with the first one for now.

Link to post
Share on other sites

Ok. So this is great I'm currently at work but when I get home I will try out those commands and see if the ip tables can fix my issue thanks so much mate. This has been bugging be for 3 days now and I'm scratching my head. 


Link to post
Share on other sites

Hate to say ip tables didn't help :( I tried the above. 


Edited by BrainEater
Link to post
Share on other sites

Ok, Hum. It's hard to see whats going on, especially cause you can't even pcap whats happening inside the pre/post part of the tables, you'll only see the output after the fact. I can think of 3 more things to try, might give more insight to whats going on.

1. run a pcap without any -t nat rules in place and no need to be listening with nc, and look at if/how packets are arriving at the openvpn pi server. Specifically make sure SMAC=router, DMAC=openvpn_pi, SIPADDR=remote ip from cafe wifi, DIPADDR= also look if it just drops the packet of if it returns a RST or ICMP stopping packet. I'm also kinda curious if it will try to leave via the gateway or not if it does.

2. Try with just the first iptables command above. I was thinking that you need a sending rule and a receiving rule, but maybe I was wrong.

3. Try with just the second iptables command above. same reason.

Like I said, I can't really test these myself, but I'm more then happy to shout out suggestions. Or if other people want to chime in that would be great too;)
It is possible the DNAT rule it too restrictive too, especially the ! part has given my trouble in the past.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...