routing VPN question

Issues related to configuring your network
Post Reply
wp.rauchholz
Posts: 133
Joined: 2016/11/20 11:58:45

routing VPN question

Post by wp.rauchholz » 2018/02/02 15:20:17

I do run a centos 7 home server. The server is the modem/router of the network and has two NICs.
I am trying to integrate with a commercial VPN service and are stuck with how to correctly set firewall and route through tun0.

I added tun0 to external firewall zone, but that did not result in anything.

Setup w/o VPN
(1) internal network
ifcfg-enp3s0
IPADDR=10.5.2.1
zone=internal

(2) external network
ifcfg-enp6s0
zone=external

ifcfg-ppp0
zone=external
eth=ifcfg-enp6s0

The external firewall is defined as follows:
icmp-block-inversion: no
interfaces: enp6s0 ppp0
sources:
services: http https openvpn
ports: xxx/tcp zzz/tcp aaa/tcp qqq/tcp eee/tcp ggg
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

How do I route the traffic from the internal network through tun0?
What do I need to change on the firewall?

Thanks, Wolfgang

pjsr2
Posts: 614
Joined: 2014/03/27 20:11:07

Re: routing VPN question

Post by pjsr2 » 2018/02/02 19:45:16

Allow forwarding of packets between your network devices:
Create a file /etc/sysctl.d/allow-ip-forwarding.conf with the following content:

Code: Select all

net.ipv4.ip_forward = 1
Set ownership and permissions:

Code: Select all

sudo chown root.root /etc/sysctl.d/allow-ip-forwarding.conf
sudo chmod 644 /etc/sysctl.d/allow-ip-forwarding.conf
Then load this into the kernel (will be done automatically on reboot):

Code: Select all

sudo sysctl -p /etc/sysctl.d/allow-ip-forwarding.conf
You have to add some forwarding rules to firewalld to allow forwarding of packets between the tun0 interface and your internal network interface.
Something like (let the device and zone names match your set-up):

Code: Select all

sudo firewall-cmd --permanent --add-interface=tun0 --zone=public
sudo firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o eth0 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo firewall-cmd --reload

wp.rauchholz
Posts: 133
Joined: 2016/11/20 11:58:45

Re: routing VPN question

Post by wp.rauchholz » 2018/02/03 12:08:51

Still trying to get this done.
Not related to the problem, but I migrated from firewall-cmd to iptables. I find it easier to understand.
I translated the firewall-cmd commands to iptables and added the following to my firewall script.

### vpnexpress forwarding rules btw tun0 (VPN_DEV) and enp3s0 (INT_DEV)
iptables -A FORWARD -i $VPN_DEV -o $INT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $VPN_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o $INT_DEV -j MASQUERADE


This is the way the kernel routing table loos with and without vpnexpress. Do I need to add an addtl route?

Destination --- Gateway --- Genmask Flags Metric Ref Use Iface
0.0.0.0 --- 0.0.0.0 --- 0.0.0.0 U 0 0 0 ppp0
10.5.2.0 --- 0.0.0.0 --- 255.255.255.0 U 0 0 0 enp3s0
192.168.144.1 --- 0.0.0.0 --- 255.255.255.255 UH 0 0 0 ppp0

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 --- 10.45.89.97 --- 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 --- 0.0.0.0 --- 0.0.0.0 U 0 0 0 ppp0
10.5.2.0 --- 0.0.0.0 --- 255.255.255.0 U 0 0 0 enp3s0
10.45.0.1 --- 10.45.89.97---255.255.255.255 UGH 0 0 0 tun0
10.45.89.97 --- 0.0.0.0 --- 255.255.255.255 UH 0 0 0 tun0
37.48.80.240--- 0.0.0.0 --- 255.255.255.255 UH 0 0 0 ppp0
128.0.0.0 --- 10.45.89.97---128.0.0.0 UG 0 0 0 tun0
192.168.144.1---0.0.0.0 --- 255.255.255.255 UH 0 0 0 ppp0

Thanks for helping

Wolfgang

User avatar
fdisk
Posts: 42
Joined: 2017/11/04 00:59:56

Re: routing VPN question

Post by fdisk » 2018/02/10 11:41:32

Imho routes are looking good.
How does an output of traceroute to some external IP looks like?

Post Reply