Community discussions

MikroTik App
 
User avatar
LastStarDust
just joined
Topic Author
Posts: 22
Joined: Sat Dec 12, 2015 8:42 pm
Location: Japan

OpenVPN routing

Sun Oct 20, 2019 7:09 am

I apologize if this is not a question strictly related to MikroTik or RouterOS. Anyway, a MikroTik device is involved and I am sure that there are many sysadms here who are very knowledgable about routing in Linux as well.

Below you can see the topology of our setup. The servers 1 and 2 control a piece of scientific equipment inside a big laboratory. Sometimes we need to control the equipment from the external world but we cannot do that directly because of the laboratory firewall. That is why I have set up a VPN tunnel with a MikroTik router through which we can connect to the servers 1 and 2 from the internet.
Image
I have root access to all the machines in blue. I do not have access to the gateway in gray.
My problem is that, if and only if the VPN tunnel is connected, I can access the servers from the internet BUT I cannot connect to the internet from server 2.
For instance, I can SSH from the internet into server 2 but I cannot ping google from it.
If the VPN tunnel is not in place I can access the internet from both the servers but obviously I loose access to servers from the internet.
I think the problem lies in a misconfiguration of the server 1 routing table.

Server 1 static routes:
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     50     0        0 tun0
0.0.0.0         10.128.32.1     0.0.0.0         UG    105    0        0 em1
10.10.12.0      0.0.0.0         255.255.255.0   U     50     0        0 tun0
10.128.32.0     0.0.0.0         255.255.224.0   U     105    0        0 em1
10.128.32.1     0.0.0.0         255.255.255.255 UH    105    0        0 em1
***********     10.128.32.1     255.255.255.255 UGH   105    0        0 em1
169.254.0.0     0.0.0.0         255.255.255.0   U     104    0        0 idrac
192.168.10.0    0.0.0.0         255.255.255.0   U     106    0        0 em2
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

$ sudo iptables -S
 -P INPUT ACCEPT
 -P FORWARD ACCEPT
 -P OUTPUT ACCEPT
 -N OS2iDRAC
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i em2 -j ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -j OS2iDRAC
 -A FORWARD -d 192.168.10.2/32 -p tcp -m tcp --dport 8082 -j ACCEPT
 -A FORWARD -i em1 -o em2 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i em2 -o em1 -j ACCEPT
 -A FORWARD -i tun0 -o em2 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i em2 -o tun0 -j ACCEPT
 -A OS2iDRAC -d 169.254.0.1/32 -p tcp -m tcp --dport 443 -j ACCEPT
 -A OS2iDRAC -s 169.254.0.1/32 -i idrac -p tcp -j ACCEPT

$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere             tcp dpt:dellpwrappks to:169.254.0.1:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:us-cli to:192.168.10.2:8082
DNAT       tcp  --  anywhere             anywhere             tcp dpt:us-cli to:192.168.10.2:8082

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere             ADDRTYPE match src-type LOCAL dst-type LOCAL tcp dpt:dellpwrappks to:169.254.0.1:443

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       tcp  --  anywhere             idrac.local          tcp dpt:https to:169.254.0.2
MASQUERADE  all  --  anywhere             anywhere             ADDRTYPE match src-type LOCAL dst-type UNICAST
MASQUERADE  all  --  anywhere             anywhere            
MASQUERADE  all  --  10.10.12.0/24        anywhere

$ cat client.ovpn
client
dev tun
proto tcp
remote ************ 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
In the server 1 I use network manager to connect to VPN and I have left all the settings to auto.
Thank you for the attention
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: OpenVPN routing

Sun Oct 20, 2019 2:07 pm

Hi

Problem is with the routing indeed

the first line shouldn't be there
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     50     0        0 tun0

I would suggest to not let the client set any gateway, and nat outgoing traffic to clients, on the vpn server (so src-nat then), to it's own ip. Then any return traffic to vpn server (and remote client) will go to vpn server anyway.
Basically you do not want to route all traffic over vpn, only the one which comes from vpn:
https://community.openvpn.net/openvpn/w ... ectGateway
 
User avatar
LastStarDust
just joined
Topic Author
Posts: 22
Joined: Sat Dec 12, 2015 8:42 pm
Location: Japan

Re: OpenVPN routing

Mon Oct 21, 2019 3:25 am

Thank you very much for the quick reply! Your suggestion to remove the first static route solved the problem indeed.
I still would like to route all the internet traffic through the VPN tunnel, because the lab firewall is blocking HTTP (but not HTTPS).
Some CentOS repositories still use HTTP so to upgrade the systems I need the VPN tunnel anyway. Moreover, some scientific websites that we need to consult still uses HTTP, etc ...
So I still would like to keep the VPN tunnel for internet traffic as well ...
Now I only need to understand how and why the rule
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     50     0        0 tun0
is created in the first place, and disable it.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: OpenVPN routing

Mon Oct 21, 2019 2:38 pm

Most likely because of this in openvpn config

redirect-gateway def1
 
User avatar
LastStarDust
just joined
Topic Author
Posts: 22
Joined: Sat Dec 12, 2015 8:42 pm
Location: Japan

Re: OpenVPN routing

Wed Oct 23, 2019 1:33 pm

Yes I think that is the culprit. Anyway, I have still not found a way to have all the machines connect to the internet THROUGH the VPN.
If I remove that static route I get access to the internet but not through the VPN. Could you please tell me how to set the routing table to achieve that? I think that I may have to set the routing table manually instead of letting OpenVPN do that for me ...

Who is online

Users browsing this forum: lktompkins, menyarito and 69 guests