Jump to content

Recommended Posts

Posted

Hello all, first post here on the forms... I am having an issue with my ufw rules on routing vpn traffic to/from my LAN. I followed the “OpenVPN from scratch” and changed the server.conf to allow LAN resource sharing over my tun0 connection. I included what I added in the server.conf file. If I disable the ufw service, I can successfully share my resources over my vpn connection. My issue is that, I lack the true ufw-fu... I have looked into the wild and found some iptables rules that look solid, but I do not yet have the experience to translate them into a usable ufw format... I want to learn and know this is platform.

 

———————MyConfigs———————

nano server.conf

 

dh2048.pem

dev tun

topology subnet

10.8.0.0 255.255.255.0

redirect-gateway

DNS

(change DNS addresses to google) 8.8.8.8 8.8.4.4

nobody (user and group)

push "route 192.168.1.0 255.255.255.0"

save

 

nano /etc/sysctl.conf

uncomment net.ipv4.ip_forward

save

 

ufw allow 1194/udp

 

nano /etc/default/ufw

change DEFAULT_FORWARD_POLICY="ACCEPT"

save

 

nano /etc/ufw/before.rules

 

add the follow toward the top:

*nat

:POSTROUTING ACCEPT [0.0]

-A POSTROUTING -s 10.8.0.0/8 -o ens33 -j MASQUERADE

COMMIT

save

 

ufw status

ufw enable

y

ufw status

 

https://m.youtube.com/watch?v=XcsQdtsCS1U&autoplay=1

———————MyConfigs———————

 

———————FromTheWild———————

# Allow traffic initiated from VPN to access LAN

    iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

 

    # Allow traffic initiated from VPN to access "the world"

    iptables -I FORWARD -i tun0 -o eth1 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

 

    # Allow traffic initiated from LAN to access "the world"

    iptables -I FORWARD -i eth0 -o eth1 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

 

    # Allow established traffic to pass back and forth

    iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 

    # Notice that -I is used, so when listing it (iptables -vxnL) it

    # will be reversed.  This is intentional in this demonstration.

 

    # Masquerade traffic from VPN to "the world" -- done in the nat table

    iptables -t nat -I POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE

 

    # Masquerade traffic from LAN to "the world"

    iptables -t nat -I POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

 

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

———————FromTheWild———————

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...