OpenVPN and Routing and IPtables
Solution 1:
There are two things you'll need to check and potentially fix.
First, you need to ensure that IP forwarding is turned on in the kernel. IP forwarding allows the kernel to pass packets from one interface to another. You can check this with the below:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
If you see a 0
instead of a 1
, then you need to enable IP forwarding. The easiest and most reliable way is to add the following line to /etc/sysctl.conf
(or modify it if there is already an entry for net.ipv4.ip_forward
):
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
And then run sysctl -p
to reload the configuration from that file.
Next, you will need to configure IPtables
to do Network Address Translation (NAT) on the packets coming from the VPN. Otherwise, when those packets g'et sent out eth0
, any devices that receive the packets won't know how to talk back (they dont have a route back to 192.168.3.0/24
through the VPN server). There are two ways you can setup the NAT: Static NAT (SNAT) and Masquerade. SNAT is recommended when the IP address on the outbound interface (eth0
in your case) is not expected to change. Masquerade mode is designed for dynamic IP situations such as dial-up or other dynamically assigned address configurations (cable modems, DSL, etc.). Both are configured similarly, though.
For SNAT, you would add an IPtables rule along the lines of (note, I used 192.168.2.13
because I don't know the IP you have assigned to eth0; you would want to change that as is appropriate):
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.13
If the IP address on eth0 is not static and reliable, you would use Masquerade, which would look like:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Solution 2:
You do need a iptables rule for the VPN clients to access the network.
First make sure your system allow NAT:
# Setup sysctl to enable NAT.
echo "# Allowing nat translation for VPN clients.
net.ipv4.conf.default.forwarding=1
net.ipv4.ip_forward=1" > "/etc/sysctl.d/openvpn.conf"
# load new sysctl config.
command sysctl -p "/etc/sysctl.d/openvpn.conf" > '/dev/null'
Then install the NAT iptables rule for the VPN network:
CURRENT_IP_RANGE="192.168.2"
command iptables -t nat -C POSTROUTING -s "${CURRENT_IP_RANGE}.0/24" \
-o 'eth0' -j MASQUERADE 2>'/dev/null' \
|| command iptables -t nat -A POSTROUTING -s "${CURRENT_IP_RANGE}.0/24" \
-o 'eth0' -j MASQUERADE
These rules are an extract of openvpn-tools, presented in Install and setup OpenVPN on Debian, a OpenVPN management script and how-to i've written.
Make sure also to have a DNS server accessible from your VPN clients. A simple answer is OpenDNS (8.8.8.8). A more complex, but may-be better solution is to install Bind on the server (this is the solution used by openvpn-tools).
openvpn-tools may be of interest to you as it provide clients configuration exports for various systems and automatize the setup of new VPN networks.
EDIT for Openvpn 2.x server and 1.5 client
See: OpenVPN releases notes.
To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, put this in the 1.x config file:
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
key-method 2
For TLS usage, key-method 2 is now the default.
Solution 3:
I'm not sure if you are using AWS, but please make sure that you disable destination/source checking on any AWS instance you may be using to run this.
Right click on the instance, mouse over to Network, then there should be an option there.
If this doesn't help you, hope it helps someone else.