Below you can see the topology of our setup. The servers 1 and 2 control a piece of scientific equipment inside a big laboratory. Sometimes we need to control the equipment from the external world but we cannot do that directly because of the laboratory firewall. That is why I have set up a VPN tunnel with a MikroTik router through which we can connect to the servers 1 and 2 from the internet.
I have root access to all the machines in blue. I do not have access to the gateway in gray.
My problem is that, if and only if the VPN tunnel is connected, I can access the servers from the internet BUT I cannot connect to the internet from server 2.
For instance, I can SSH from the internet into server 2 but I cannot ping google from it.
If the VPN tunnel is not in place I can access the internet from both the servers but obviously I loose access to servers from the internet.
I think the problem lies in a misconfiguration of the server 1 routing table.
Server 1 static routes:
Code: Select all
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 50 0 0 tun0
0.0.0.0 10.128.32.1 0.0.0.0 UG 105 0 0 em1
10.10.12.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0
10.128.32.0 0.0.0.0 255.255.224.0 U 105 0 0 em1
10.128.32.1 0.0.0.0 255.255.255.255 UH 105 0 0 em1
*********** 10.128.32.1 255.255.255.255 UGH 105 0 0 em1
169.254.0.0 0.0.0.0 255.255.255.0 U 104 0 0 idrac
192.168.10.0 0.0.0.0 255.255.255.0 U 106 0 0 em2
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N OS2iDRAC
-A INPUT -i lo -j ACCEPT
-A INPUT -i em2 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j OS2iDRAC
-A FORWARD -d 192.168.10.2/32 -p tcp -m tcp --dport 8082 -j ACCEPT
-A FORWARD -i em1 -o em2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i em2 -o em1 -j ACCEPT
-A FORWARD -i tun0 -o em2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i em2 -o tun0 -j ACCEPT
-A OS2iDRAC -d 169.254.0.1/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A OS2iDRAC -s 169.254.0.1/32 -i idrac -p tcp -j ACCEPT
$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:dellpwrappks to:169.254.0.1:443
DNAT tcp -- anywhere anywhere tcp dpt:us-cli to:192.168.10.2:8082
DNAT tcp -- anywhere anywhere tcp dpt:us-cli to:192.168.10.2:8082
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere ADDRTYPE match src-type LOCAL dst-type LOCAL tcp dpt:dellpwrappks to:169.254.0.1:443
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere idrac.local tcp dpt:https to:169.254.0.2
MASQUERADE all -- anywhere anywhere ADDRTYPE match src-type LOCAL dst-type UNICAST
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- 10.10.12.0/24 anywhere
$ cat client.ovpn
client
dev tun
proto tcp
remote ************ 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
Thank you for the attention