Routing between LAN and VPN behind NAT

(02 Mar 2009 7:39)

Took a while to get traffic routed from remote OpenVPN clients to LAN at the OpenVPN server end.

Here's the network setup:

Remote office:

Router: 10.1.1.250 / 255.255.255.0
OpenVPN server LAN IP (eth0): 10.1.1.1
OpenVPN server VPN IP (tun0): 10.8.0.1
LAN DNS server IP: 10.1.1.10

Key settings from openvpn server.conf:

push "route 10.1.1.0 255.255.255.0"
push "dhcp-option DNS 10.1.1.10" # DNS server
push "dhcp-option WINS 10.1.1.10" # WINS server address

Now the problem is that while remote VPN clients can successfully ping the LAN IP of the OpenVPN server (10.1.1.1), they cannot ping other hosts in the LAN (for example the DNS/WINS server, 10.1.1.10).

Routing traffic between VPN and LAN worked as long as the OpenVPN server acted also as the router for the network. When routing was moved to another server (10.0.0.250), VPN<->LAN routing went bust.

The problem is easily solved with applying the following iptables rule and enabling IP forwarding (using CentOS v4.7):

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# sysctl -w net.ipv4.ip_forward=1

Make sure you enable ip_forwarding at /etc/sysctl.conf to make the setting persist through boots. Don't forget to save the iptables rules as well with, for example, iptables-save.

[ Post comments ]

• March 2009 (1 entry)
• November 2007 (1 entry)
• June 2007 (1 entry)
• February 2007 (1 entry)
• January 2007 (3 entries)
• December 2006 (1 entry)
• September 2006 (1 entry)
• January 2006 (4 entries)
• November 2005 (2 entries)
• [Rss feed for Ketola's blogs]