debian - OpenVPN + iptables: not forwarding traffic -


i trying forward traffic through vpn openvpn on vps. did on openvz virtualized server in past, cannot replicate working behaviour on new installation on different vps. changed provider because of reasons unimportant question's scope.

i can correctly connect vpn windows client, reach pages through machine's public ip instead of vps public ip.

the vps runs debian 7, 32bit. server openvpn config:

port 1194 proto udp dev tun  ca      /etc/openvpn/easy-rsa/keys/ca.crt    # generated keys cert    /etc/openvpn/easy-rsa/keys/server.crt key     /etc/openvpn/easy-rsa/keys/server.key  # keep secret dh      /etc/openvpn/easy-rsa/keys/dh1024.pem  server 10.9.8.0 255.255.255.0  # internal tun0 connection ip ifconfig-pool-persist ipp.txt  keepalive 10 120  comp-lzo         # compression - must turned on @ both end persist-key persist-tun  push "redirect-gateway"  status log/openvpn-status.log  verb 3  # verbose mode client-to-client

client (windows 7) openvpn config:

client  dev tun  proto udp  remote my-server-ip 1194  remote-random  resolv-retry infinite  nobind  persist-key persist-tun  mute-replay-warnings  ca   "c:\\program files (x86)\\openvpn\\config\\frankfurt\\ca.crt" cert "c:\\program files (x86)\\openvpn\\config\\frankfurt\\nick.crt" key  "c:\\program files (x86)\\openvpn\\config\\frankfurt\\nick.key"  comp-lzo  verb 3  keepalive 10 120  route-method exe route-delay 2

ifconfig:

lo        link encap:local loopback             inet addr:127.0.0.1  mask:255.0.0.0           inet6 addr: ::1/128 scope:host           loopback running  mtu:16436  metric:1           rx packets:0 errors:0 dropped:0 overruns:0 frame:0           tx packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0            rx bytes:0 (0.0 b)  tx bytes:0 (0.0 b)  tun0      link encap:unspec  hwaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00             inet addr:10.9.8.1  p-t-p:10.9.8.2  mask:255.255.255.255           pointopoint running noarp multicast  mtu:1500  metric:1           rx packets:0 errors:0 dropped:0 overruns:0 frame:0           tx packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:100            rx bytes:0 (0.0 b)  tx bytes:0 (0.0 b)  venet0    link encap:unspec  hwaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00             inet addr:127.0.0.2  p-t-p:127.0.0.2  bcast:0.0.0.0  mask:255.255.255.255           inet6 addr: .../128 scope:global           inet6 addr: .../128 scope:global           inet6 addr: .../128 scope:global           inet6 addr: .../128 scope:global           inet6 addr: .../128 scope:global           broadcast pointopoint running noarp  mtu:1500  metric:1           rx packets:15332 errors:0 dropped:0 overruns:0 frame:0           tx packets:7317 errors:0 dropped:56 overruns:0 carrier:0           collisions:0 txqueuelen:0            rx bytes:13666157 (13.0 mib)  tx bytes:762502 (744.6 kib)  venet0:0  link encap:unspec  hwaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00             inet addr:my-server-ip  p-t-p:my-server-ip  bcast:my-server-ip  mask:255.255.255.255           broadcast pointopoint running noarp  mtu:1500  metric:1

iptables -l: (rules port 20100 previous experiments have nothing this)

chain input (policy accept) target     prot opt source               destination          accept     udp  --  anywhere             anywhere             udp dpt:20100 accept     tcp  --  anywhere             anywhere             tcp dpt:20100 accept     tcp  --  anywhere             anywhere             tcp dpt:20100 accept      --  anywhere             anywhere              chain forward (policy accept) target     prot opt source               destination          accept      --  anywhere             anywhere             state related,established accept      --  10.9.8.0/24          anywhere             accept      --  anywhere             anywhere             state related,established accept      --  anywhere             anywhere             state related,established  chain output (policy accept) target     prot opt source               destination

iptables -l -t nat:

chain prerouting (policy accept) target     prot opt source               destination           chain postrouting (policy accept) target     prot opt source               destination          snat        --  anywhere             anywhere             to:my-server-ip  chain output (policy accept) target     prot opt source               destination

i checked discussions, forums , blog posts error, couldn' quite understand what's wrong config.

btw, ip_forward 1, in sysctl.conf.

with openvz platform iptables should similar this:

echo "1" > /proc/sys/net/ipv4/ip_forward   iptables -a input -i tun0 -j accept iptables -a forward -i tun0 -j accept  iptables -a input -i tun1 -j accept iptables -a forward -i tun1 -j accept   iptables -t nat -a postrouting -o venet0 -j snat --to-source xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx external ip address of vps.

a detailed guide on openvpn installation can found here https://limitlessblog.co.za/2017/05/16/openvpn-server-installation-debian/


-

Comments

Post a Comment

Popular posts from this blog

how to proxy from https to http with lighttpd -

i have internal site (192.168.2.1) accessible http on different server run public web-server using lighttpd. can make internal site accessible outside work follows $http["host"] == "internal.example.com" { ... proxy.server = ( "" => ( "internal" => ( "host" => "192.168.2.1", "port" => 8000 ) ) } this works, use https outside world. question is, how can proxy going https http ? i've tried this: $server["socket"] == ":443" { $http["host"] == "internal.example.com" { ... proxy.server = ( "" => ( "internal" => ( "host" => "http://192.168.2.1", "port" => 8000 ) ) } } but doesn't seem wor...
Read more

android - Automated my builds -

i have multiple app , android project want automated in build , release sequence. have ant script build , create apk of app. want have 1 script or ant file start build sequence app. maybe don't konw search, can't find easy documentation on ant. the point of use jenkins ant (or maven, i'm not sure of difference between them now) automated build sequence when people commit on project. any int appreciated maven dependencies (over ant) don't need pass around jars. recommend maven on ant day. syntax , overall process easier understand, @ end of both build tools. if able to, more recommend upgrading gradle. easy create different build types , create them ./gradlew assemble here project jake wharton can see power of gradle. there release , debug build, can make lot more if like. https://github.com/jakewharton/u2020 here android docs gradle http://tools.android.com/tech-docs/new-build-system/user-guide . if can't find looking here, check out main grad...
Read more

python - Flask migration error -

i've got application build on flask , wanted create new migration today. when run $python manage.py db upgrade i got message raise util.commanderror('only single head supported. ' alembic.util.commanderror: single head supported. script directory has multiple heads (due branching), must resolved manually editing revision files form linear sequence. run alembic branches see divergence(s). so run command $alembic branches no config file 'alembic.ini' found, or file has no '[alembic]' section any clue on about? the error messages coming alembic, use command form alembic <command> , integrating flask coming flask-migrate, need use form python manage.py db branches . to resolve multiple branches, make 1 of branches point down other branch upgrade graph straight line. see alembic's docs on branches: http://alembic.readthedocs.org/en/latest/branches.html
Read more