[CentOS] IP forwarding and OpenVPN

Les Mikesell lesmikesell at gmail.com
Thu Nov 4 08:49:05 EDT 2010


On 11/4/10 3:39 AM, Bart Schaefer wrote:
> On Wed, Nov 3, 2010 at 7:05 PM, Les Mikesell<lesmikesell at gmail.com>  wrote:
>> You probably are forwarding packets to the other end of the vpn. Does whatever
>> is on the other end have a route back to your 192.168.144.x range through that
>> end of the vpn?
>
> Ah, that may indeed be the problem.  I'm a bit rusty with this stuff.
> The CentOS box is doing IP forwarding, but that doesn't mean that it's
> actually acting as a NAT?

No, NAT is something you do in iptables, and if you have done it, the setup is 
likely to be interface-specific.

>  On the far end, 192.168.144.0/255 would
> just use the default route, which is to the gateway for the network to
> which the VPN is connected.  There's no explicit route for my LAN
> range.

Quick check is a traceroute from the remote server to a 192.168.144.x address. 
If it doesn't go into the tunnel interface you need to add a route for the range 
via the remote tunnel ip.

>> Connections from the server itself will source from the tunnel
>> address, not the LAN.
>
> Well, yeah, that part I expected.  I was presuming the return packets
> would go back to the tunnel address, which would send them to my
> server, which would then NAT them back to the original LAN source; but
> maybe that translation isn't happening where I thought it was.

No, you can NAT at the tun interface but then the connections only work in one 
direction.  Normally for LAN-LAN connections you want to maintain and route the 
private ranges and only NAT at the internet gateways.

-- 
   Les Mikesell
    lesmikesell at gmail.com




More information about the CentOS mailing list