OpenVPN Server routing between multiple interfaces
by Flowsen from LinuxQuestions.org on (#5SWA3)
Hi, I am looking for help with a OpenVPN setup where I have problems to reach targets on a second network interface of the OpenVPN server.
Please see attached picture which shows the IP addresses of the clients and network interfaces of the OpenVPN Server.
VPN:
server: 10.8.0.1
client1: 10.8.0.2
client2: 10.8.0.3
client3: 10.8.0.4
client4: 10.8.0.5
client5: 10.8.0.6
eth0 (VPN Server):
172.31.4.115 (route for client1)
172.31.10.54 (route for client2)
172.31.14.166 (route for client3)
eth1 (VPN Server):
172.31.15.5 (route for client4)
172.31.7.18 (route for client5)
...
I am using IP tables and SNAT to forward the traffic based on source IP (client) to the specific IP in the OpenVPN server.
This works without any problems for client1,client2,client3 where the destionation interface is eth0.
For client4,client5 where the destination interface is eth1 I am unable to route the traffic or even ping the IP.
I am really wondering what could be the reason.
IP tables on the server:
Code:echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -t nat -F
#
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.2 -j SNAT --to 172.31.4.115
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.4.115 --dport 22 -j DNAT --to-dest 10.8.0.2:22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.4.115 --dport 80 -j DNAT --to-dest 10.8.0.2:80
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.4.115 --dport 44158 -j DNAT --to-dest 10.8.0.2:44158
#
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.3 -j SNAT --to 172.31.14.177
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.14.177 --dport 22 -j DNAT --to-dest 10.8.0.3:22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.14.177 --dport 80 -j DNAT --to-dest 10.8.0.3:80
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.14.177 --dport 44158 -j DNAT --to-dest 10.8.0.3:44158
#
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.4 -j SNAT --to 172.31.10.54
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.10.54 --dport 22 -j DNAT --to-dest 10.8.0.4:22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.10.54 --dport 80 -j DNAT --to-dest 10.8.0.4:80
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.10.54 --dport 44158 -j DNAT --to-dest 10.8.0.4:44158
#
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.5 -j SNAT --to 172.31.15.5
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.15.5 --dport 22 -j DNAT --to-dest 10.8.0.5:22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.15.5 --dport 80 -j DNAT --to-dest 10.8.0.5:80
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.15.5 --dport 44158 -j DNAT --to-dest 10.8.0.5:44158ip address:
Code:1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:24:9f:96:87:b2 brd ff:ff:ff:ff:ff:ff
inet 172.31.8.247/20 brd 172.31.15.255 scope global dynamic eth0
valid_lft 3012sec preferred_lft 3012sec
inet 172.31.4.115/20 brd 172.31.15.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet 172.31.10.54/20 brd 172.31.15.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet 172.31.14.177/20 brd 172.31.15.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet6 fe80::24:xxxx:fe96:87b2/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:9e:13:ba:cd:d2 brd ff:ff:ff:ff:ff:ff
inet 172.31.15.5/20 brd 172.31.15.255 scope global dynamic eth1
valid_lft 3193sec preferred_lft 3193sec
inet 172.31.7.18/20 brd 172.31.15.255 scope global secondary eth1
valid_lft forever preferred_lft forever
inet 172.31.8.7/20 brd 172.31.15.255 scope global secondary eth1
valid_lft forever preferred_lft forever
inet 172.31.4.163/20 brd 172.31.15.255 scope global secondary eth1
valid_lft forever preferred_lft forever
inet6 fe80::9e:xxxx:feba:cdd2/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:70:77:02:4c:3a brd ff:ff:ff:ff:ff:ff
inet 172.31.3.55/20 brd 172.31.15.255 scope global dynamic eth2
valid_lft 2972sec preferred_lft 2972sec
inet 172.31.7.165/20 brd 172.31.15.255 scope global secondary eth2
valid_lft forever preferred_lft forever
inet 172.31.3.63/20 brd 172.31.15.255 scope global secondary eth2
valid_lft forever preferred_lft forever
inet 172.31.11.150/20 brd 172.31.15.255 scope global secondary eth2
valid_lft forever preferred_lft forever
inet6 fe80::70:xxxx:fe02:4c3a/64 scope link
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::70c0:xxxx:ca81:1bf4/64 scope link stable-privacy
valid_lft forever preferred_lft foreveriptables --list -vv -n
Code:Chain PREROUTING (policy ACCEPT 492 packets, 32971 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.4.115 tcp dpt:22 to:10.8.0.2:22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.4.115 tcp dpt:80 to:10.8.0.2:80
25 1500 DNAT tcp -- * * 0.0.0.0/0 172.31.4.115 tcp dpt:44158 to:10.8.0.2:44158
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.14.177 tcp dpt:22 to:10.8.0.3:22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.14.177 tcp dpt:80 to:10.8.0.3:80
41 2460 DNAT tcp -- * * 0.0.0.0/0 172.31.14.177 tcp dpt:44158 to:10.8.0.3:44158
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.10.54 tcp dpt:22 to:10.8.0.4:22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.10.54 tcp dpt:80 to:10.8.0.4:80
66 3960 DNAT tcp -- * * 0.0.0.0/0 172.31.10.54 tcp dpt:44158 to:10.8.0.4:44158
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.15.5 tcp dpt:22 to:10.8.0.5:22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.15.5 tcp dpt:80 to:10.8.0.5:80
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.15.5 tcp dpt:44158 to:10.8.0.5:44158
Chain INPUT (policy ACCEPT 22 packets, 2308 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 315 packets, 23706 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 447 packets, 31626 bytes)
pkts bytes target prot opt in out source destination
32 2016 SNAT all -- * * 10.8.0.2 0.0.0.0/0 to:172.31.4.115
21 1284 SNAT all -- * * 10.8.0.3 0.0.0.0/0 to:172.31.14.177
77 4695 SNAT all -- * * 10.8.0.4 0.0.0.0/0 to:172.31.10.54
322 21156 SNAT all -- * * 10.8.0.5 0.0.0.0/0 to:172.31.15.5route -n
Code:Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 172.31.0.1 0.0.0.0 UG 10001 0 0 eth1
0.0.0.0 172.31.0.1 0.0.0.0 UG 10002 0 0 eth2
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth2from client4 and client5 i can ping 172.31.4.115,172.31.14.177,172.31.10.54 but I am not able to ping 172.31.15.5 which is on eth1...
What am I missing? I tried for 3 days now and cannot get it working. I would like to avoid setting up bridging...
I think it has something to do with the routes. Any advise?
Attached Thumbnails
Please see attached picture which shows the IP addresses of the clients and network interfaces of the OpenVPN Server.
VPN:
server: 10.8.0.1
client1: 10.8.0.2
client2: 10.8.0.3
client3: 10.8.0.4
client4: 10.8.0.5
client5: 10.8.0.6
eth0 (VPN Server):
172.31.4.115 (route for client1)
172.31.10.54 (route for client2)
172.31.14.166 (route for client3)
eth1 (VPN Server):
172.31.15.5 (route for client4)
172.31.7.18 (route for client5)
...
I am using IP tables and SNAT to forward the traffic based on source IP (client) to the specific IP in the OpenVPN server.
This works without any problems for client1,client2,client3 where the destionation interface is eth0.
For client4,client5 where the destination interface is eth1 I am unable to route the traffic or even ping the IP.
I am really wondering what could be the reason.
IP tables on the server:
Code:echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -t nat -F
#
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.2 -j SNAT --to 172.31.4.115
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.4.115 --dport 22 -j DNAT --to-dest 10.8.0.2:22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.4.115 --dport 80 -j DNAT --to-dest 10.8.0.2:80
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.4.115 --dport 44158 -j DNAT --to-dest 10.8.0.2:44158
#
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.3 -j SNAT --to 172.31.14.177
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.14.177 --dport 22 -j DNAT --to-dest 10.8.0.3:22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.14.177 --dport 80 -j DNAT --to-dest 10.8.0.3:80
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.14.177 --dport 44158 -j DNAT --to-dest 10.8.0.3:44158
#
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.4 -j SNAT --to 172.31.10.54
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.10.54 --dport 22 -j DNAT --to-dest 10.8.0.4:22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.10.54 --dport 80 -j DNAT --to-dest 10.8.0.4:80
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.10.54 --dport 44158 -j DNAT --to-dest 10.8.0.4:44158
#
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.5 -j SNAT --to 172.31.15.5
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.15.5 --dport 22 -j DNAT --to-dest 10.8.0.5:22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.15.5 --dport 80 -j DNAT --to-dest 10.8.0.5:80
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.31.15.5 --dport 44158 -j DNAT --to-dest 10.8.0.5:44158ip address:
Code:1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:24:9f:96:87:b2 brd ff:ff:ff:ff:ff:ff
inet 172.31.8.247/20 brd 172.31.15.255 scope global dynamic eth0
valid_lft 3012sec preferred_lft 3012sec
inet 172.31.4.115/20 brd 172.31.15.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet 172.31.10.54/20 brd 172.31.15.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet 172.31.14.177/20 brd 172.31.15.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet6 fe80::24:xxxx:fe96:87b2/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:9e:13:ba:cd:d2 brd ff:ff:ff:ff:ff:ff
inet 172.31.15.5/20 brd 172.31.15.255 scope global dynamic eth1
valid_lft 3193sec preferred_lft 3193sec
inet 172.31.7.18/20 brd 172.31.15.255 scope global secondary eth1
valid_lft forever preferred_lft forever
inet 172.31.8.7/20 brd 172.31.15.255 scope global secondary eth1
valid_lft forever preferred_lft forever
inet 172.31.4.163/20 brd 172.31.15.255 scope global secondary eth1
valid_lft forever preferred_lft forever
inet6 fe80::9e:xxxx:feba:cdd2/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:70:77:02:4c:3a brd ff:ff:ff:ff:ff:ff
inet 172.31.3.55/20 brd 172.31.15.255 scope global dynamic eth2
valid_lft 2972sec preferred_lft 2972sec
inet 172.31.7.165/20 brd 172.31.15.255 scope global secondary eth2
valid_lft forever preferred_lft forever
inet 172.31.3.63/20 brd 172.31.15.255 scope global secondary eth2
valid_lft forever preferred_lft forever
inet 172.31.11.150/20 brd 172.31.15.255 scope global secondary eth2
valid_lft forever preferred_lft forever
inet6 fe80::70:xxxx:fe02:4c3a/64 scope link
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::70c0:xxxx:ca81:1bf4/64 scope link stable-privacy
valid_lft forever preferred_lft foreveriptables --list -vv -n
Code:Chain PREROUTING (policy ACCEPT 492 packets, 32971 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.4.115 tcp dpt:22 to:10.8.0.2:22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.4.115 tcp dpt:80 to:10.8.0.2:80
25 1500 DNAT tcp -- * * 0.0.0.0/0 172.31.4.115 tcp dpt:44158 to:10.8.0.2:44158
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.14.177 tcp dpt:22 to:10.8.0.3:22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.14.177 tcp dpt:80 to:10.8.0.3:80
41 2460 DNAT tcp -- * * 0.0.0.0/0 172.31.14.177 tcp dpt:44158 to:10.8.0.3:44158
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.10.54 tcp dpt:22 to:10.8.0.4:22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.10.54 tcp dpt:80 to:10.8.0.4:80
66 3960 DNAT tcp -- * * 0.0.0.0/0 172.31.10.54 tcp dpt:44158 to:10.8.0.4:44158
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.15.5 tcp dpt:22 to:10.8.0.5:22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.15.5 tcp dpt:80 to:10.8.0.5:80
0 0 DNAT tcp -- * * 0.0.0.0/0 172.31.15.5 tcp dpt:44158 to:10.8.0.5:44158
Chain INPUT (policy ACCEPT 22 packets, 2308 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 315 packets, 23706 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 447 packets, 31626 bytes)
pkts bytes target prot opt in out source destination
32 2016 SNAT all -- * * 10.8.0.2 0.0.0.0/0 to:172.31.4.115
21 1284 SNAT all -- * * 10.8.0.3 0.0.0.0/0 to:172.31.14.177
77 4695 SNAT all -- * * 10.8.0.4 0.0.0.0/0 to:172.31.10.54
322 21156 SNAT all -- * * 10.8.0.5 0.0.0.0/0 to:172.31.15.5route -n
Code:Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 172.31.0.1 0.0.0.0 UG 10001 0 0 eth1
0.0.0.0 172.31.0.1 0.0.0.0 UG 10002 0 0 eth2
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth2from client4 and client5 i can ping 172.31.4.115,172.31.14.177,172.31.10.54 but I am not able to ping 172.31.15.5 which is on eth1...
What am I missing? I tried for 3 days now and cannot get it working. I would like to avoid setting up bridging...
I think it has something to do with the routes. Any advise?
Attached Thumbnails