Blinddyecast Posted June 24, 2018 Share Posted June 24, 2018 Hello all, first post here on the forms... I am having an issue with my ufw rules on routing vpn traffic to/from my LAN. I followed the “OpenVPN from scratch” and changed the server.conf to allow LAN resource sharing over my tun0 connection. I included what I added in the server.conf file. If I disable the ufw service, I can successfully share my resources over my vpn connection. My issue is that, I lack the true ufw-fu... I have looked into the wild and found some iptables rules that look solid, but I do not yet have the experience to translate them into a usable ufw format... I want to learn and know this is platform. ———————MyConfigs——————— nano server.conf dh2048.pem dev tun topology subnet 10.8.0.0 255.255.255.0 redirect-gateway DNS (change DNS addresses to google) 8.8.8.8 8.8.4.4 nobody (user and group) push "route 192.168.1.0 255.255.255.0" save nano /etc/sysctl.conf uncomment net.ipv4.ip_forward save ufw allow 1194/udp nano /etc/default/ufw change DEFAULT_FORWARD_POLICY="ACCEPT" save nano /etc/ufw/before.rules add the follow toward the top: *nat :POSTROUTING ACCEPT [0.0] -A POSTROUTING -s 10.8.0.0/8 -o ens33 -j MASQUERADE COMMIT save ufw status ufw enable y ufw status https://m.youtube.com/watch?v=XcsQdtsCS1U&autoplay=1 ———————MyConfigs——————— ———————FromTheWild——————— # Allow traffic initiated from VPN to access LAN iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow traffic initiated from VPN to access "the world" iptables -I FORWARD -i tun0 -o eth1 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow traffic initiated from LAN to access "the world" iptables -I FORWARD -i eth0 -o eth1 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow established traffic to pass back and forth iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Notice that -I is used, so when listing it (iptables -vxnL) it # will be reversed. This is intentional in this demonstration. # Masquerade traffic from VPN to "the world" -- done in the nat table iptables -t nat -I POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE # Masquerade traffic from LAN to "the world" iptables -t nat -I POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE https://community.openvpn.net/openvpn/wiki/BridgingAndRouting ———————FromTheWild——————— Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.