Re: [Openvpn-users] How to configure routing to LAN in cloud?

[David R. <da...@da...>]

Just wanted to report back for posterity.

FYI - this worked nicely.  The servers weren't on an internal network 
(only eth0 w/public IP's, and lo).  But I pushed routes for the 2 
servers I need to access behind the firewall, and added the iptables 
NAT'ting and everything's working like a charm.

Many thanks on the iptables tip, by the way.  I think that was one of 
the problems I was having (network traffic wasn't reaching the servers 
in question), and it would have taken a lot of hair pulling to figure 
out that that was the solution.  (There doesn't appear to be anything in 
the docs or FAQ about this.)

Thanks much to everyone who responded (and particularly you Colin).

Best,

DR

On 01/21/2010 10:25 AM, Colin Ryan wrote:
> I would try then pushing host routes for each system,
> 
> i.e.
> push "route public1.xx.xx.xx 255.255.255.255"
> push "route public2.xx.xx.xx 255.255.255.255"
> 
> etc etc. (provided you don't have too many).
> 
> Host routes would be required if the openvpn server itself is on the 
> same subnet as the machines you want to access otherwise you'd override 
> the route to the server itself...though check the man pages for openvpn 
> there may be some options in the redirect gateway directives that can 
> preserve the proper path to the openvpn server itself.
> 
> If the target machines were on a different subnet than the OVPN server 
> then you should be able to push a normal subnet route directive for 
> those addresses public or not.
> 
> 
> Then run iptables to NAT traffic from the openvpn client subnet
> 
> iptables -t nat -A POSTROUTING -s <ovpn network>/<ovpn netmask> -o eth0 
> -j MASQUERADE
> 
> or
> 
> iptables -t nat -A POSTROUTING --s <ovpn network>/<ovpn netmask> -j SNAT 
> --to-source <some local IP on the ovvpn server machine>.
> 
> The only limitation to this ( because of NAT) is that the machines in 
> the cloud would not be able to initiate their own net new connections 
> back to connected clients.
> 
> I think this makes sense ;-)
> 
> Colin
> 
> David Rosenstrauch wrote:
>> I guess now that I think about it, I have a slightly more complicated
>> situation:
>>
>> The cloud network is not a private subnet.  All of our machines on it 
>> have
>> IP addresses on the public Internet.
>>
>> So I guess what I'm really trying to do is use OpenVPN to get me behind
>> the firewall (in order to access protected web sites).
>>
>> Is this not possible and/or not a correct use of OpenVPN?
>>
>> Thanks,
>>
>> DR
>>
>> On Wed, January 20, 2010 10:48 pm, Colin Ryan wrote:
>>  
>>> Maybe I'm missing something here...but wouldn't either pushing a route
>>> for the _private_ subnet that your cloud machines are on to you client
>>> be sufficient, or even depending on how many machines you have host
>>> routes (ie. xx.xx.xx.xx/255.255.255.255 for each system.
>>>
>>> If the VPN server can get to every machine that you want to get to then
>>> the only issue is to push routes so that the connected clients are told
>>> that those routes are over the VPN Server. Once the packets reach the
>>> VPN server they will behave normally as per the network setups there.
>>>
>>> ???
>>>
>>> Colin
>>>
>>> David Rosenstrauch wrote:
>>>    
>>>> We have a network running at a cloud vendor.  I'm trying to set up VPN
>>>> access to it using OpenVPN.
>>>>
>>>> I've got basic client-to-server VPN connectivity configured and working
>>>> using static keys.  i.e., the client (my laptop) can ping, ssh, etc.
>>>> into the VPN server (one of our cloud servers) over the VPN.  So far so
>>>> good.
>>>>
>>>> What I'm trying to do now, though, is to set routing so that network
>>>> traffic to all of our other servers in the cloud network gets routed
>>>> over the VPN.  This way we would be able to use the VPN to access
>>>> private web servers that are behind the VPN & cloud firewall.  I'm not
>>>> having much success here though.
>>>>
>>>> In fact, after doing a bunch of RTFM, I'm not even sure that this is
>>>> possible using OpenVPN in our configuration, since I don't have control
>>>> over the gateway server on the cloud network.
>>>>
>>>> According to the OpenVPN docs:  "Next, you must set up a route on the
>>>> server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to
>>>> the OpenVPN server (this is only necessary if the OpenVPN server and 
>>>> the
>>>> LAN gateway are different machines)."
>>>>
>>>> Although I have full control over the OpenVPN server (one of our cloud
>>>> machines), the gateway for the OpenVPN server is a machine operated by
>>>> the cloud vendor.
>>>>
>>>> Is there any way to accomplish what I'm trying to do (i.e.,
>>>> VPN-protected web servers in a cloud LAN) using OpenVPN?
>>>>
>>>> Thanks,
>>>>
>>>> DR