Cant forward traffic from VPN clients to the Internet

Support
, ,
1

NethServer Version: 7.2.1511 (rc2)
Module: vpn

Hi! Thank you for nethserver, it is amazing.

I’ve installed 7.2.1511 (rc2) on DigitalOcean CentOS 7.2 x64 droplet and trying to setup forwarding all OpenVPN client traffic via nethserver.

OpenVPN is configured, «both Route all client traffic through VPN» and «Allow client-to-client network traffic» are checked, but I cant make Shorewall allow traffic from my 10.10.10.0/24 virtual network to Internet:

neth kernel: Shorewall:ovpn2net:REJECT:IN=tun0 OUT=eth0 MAC= SRC=10.10.10.6 DST=54.154.40.136 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48918 DF PROTO=TCP SPT=59848 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0

I’ve tried:

  • creation static route with Network address 10.10.10.0/24 and Router address as eth0 config (got via ip route show)
  • creation firewall rule with Source as CIDR firewall object with 10.10.10.0/24 and any in other fields

Please, give me a hook what to configure to allow passing traffic from vpn clients to Internet?

Update:
I’ve managed to make it working after:

  1. Return back firewall rule «CIDR network vpn_network» - «Firewall» for Any service
  2. Add static route with Network address 10.10.10.0/24 and Router address as eth0 config (got via ip route show)
  3. iptables configuration from command line

iptables -I FORWARD -i tun0 -o eth0 -s 10.10.10.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.5.0.0/24 -j MASQUERADE

Is it possible to do the same from point 3, but with nethserver gui?

2

Hi @bikulov
sorry for the late reply

We ask for help @islipfd19 @jitkian @dnutan @Hunv @firsttiger @ssabbath :wink:

1 Like
3

I do believe so, that this is possible from the GUI, i managed to do all my rules from it.

What do you mean “from point 3” ?

1 Like
4

I had to execute two additional commands on server before openvpn clients were able to reach Internet:

iptables -I FORWARD -i tun0 -o eth0 -s 10.10.10.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.5.0.0/24 -j MASQUERADE

I’d like to do the same configuration of iptables via nethserver web ui, without command line, if it is possible.

Without manual iptables configuration openvpn clients (with routing all traffic through von) connect to server, but I cannot open any website from them.

5

Capturar.PNG370×528 7.29 KB

Marking this checkbox really works for me :stuck_out_tongue:

Just tested it out here.

BTW, today was realeased a update to OpenVPN.

6

@bikulov did you check @ssabbath’s suggestion?