hy
i have centos as host system on that virtualized another cent os that is openvpn server. cent host host ip is 11.11.11.11. routed with prerouting and postrouting to openvpn virtual. and that is working. now i put mikrotik beatwen isp and vpn. on host cent os defoult rules is drop only tcp port used is ssh. and i can connect throught mikrotik i didnt wrote this here in commands its irellevant. yust to say dst-nat routing is working.
problem is in firewall menu under connections i se vpn connected to mikrotik in this case 10.10.10.10, this is first connection. details below. and i see my host centos ip is connecting to some tcp ports when surfing. maybe i missunderstud something and everything is ok but i dont thing this should happening. see bellowe more details.
thanks for time
my firewall nat
add chain=dstnat action=dst-nat dst-address=10.10.10.10 protocol=udp dst-port=1194 to-address=11.11.11.11
add chain=srcnat action=src-nat src-address=11.11.11.11 to address=10.10.10.10
filter rules
add action=drop chain=forward connection=state=invalid
add action=accept chain=forward connection-state=established
add action=accept chain=forward dst-address=11.11.11.11 protocol=udp dst-port=1194
add chain=forward action=accept src-address=11.11.11.11
add chain=forward action=drop
input rules
add chain=input action=drop connection-state=invalid
add chain=input action=accept src-addres=10.10.10.10/24 protocol=tcp dst-port=23 connection-state=new,established
add chain=input action=accept src-address=10.10.10.10/24 protocol=tcp dst-port=80 connection-state=new,established
add chain=input action=drop
these input rules i need only for access mikrotik while setup
so whats the problem. this setup works i can connect to openvpn behind mikrotik which is on local in this example on 11.11.11.11. mikrotik is on 10.10.10.10.
when i click connections tab in firewall menu is shows first ip my public ip connected to 10.10.10.10 and that is ok this is vpn connection.
like this
src address dst address protocol
my public 10.10.10.10 udp
but when i surf i see vpn local ip is connected to some tcp and udp ports like dns which is on vpn server /etc/resolv.conf.
like this
src address dst address protocol
11.11.11.11 ip of site i browse tcp
and dns
src address dst address protocol
11.11.11.11 dns serve ip udp
way this is happining what i misconfigured.
but when i drop all trafic on input i can still use all vpn and browsing capabilities and i suppose no tcp connections made beacouse everything is close. if im right.
i try configure src nat this way but then browsing dont work i can connect to vpn.
add chain=forward action=accept src-address=11.11.11.11 protocol=udp src-port=1194 to-addresses=10.10.10.10
my first concerne is way ip of vpn is leakink and what i missconfigured.
i canot dont know better than this