From: Erich T. <eri...@th...> - 2010-11-22 22:31:42
|
Jenny on 22.11.2010 17:09, Jenny Lee wrote: > >> Just add the necessary routes to Network C and configure your >> firewalls/server accordingly. > > If I knew how to do this properly, I would not be asking assistance from the mailing list, would I? OK, let's see. I would suggest to drop all NATting and firewalling to start with. First you need to make sure client A knows that packets to Server C need to go to Server B.... set a route from A to C through B. Now B receives the packet for C in its tun interface and if it has a route to C and routing is enabled on B it will happily forward this packet without caring too much. The packet arrives at C then, and C tries to acknowledge, but it does not know whom to send the reply to, how should it, it is coming from the tunnel address on A, which C does not know about. There are at least two solutions, either you tell C about the route to A, easiest on OpenVPN with iroute, or you need to masquerade the traffic on B using iptables. The rest depends on what you decide to do here. If you use masquerating then everything should go fine, else look at the iroute parameter in OpenVPN. You stated that you are not a networking person but you feel fit to build such a system, OK, but this is not completely trivial, neither is it rocket science, still you will need to dig into networking if your system should go live. Some of us do this for a living and we still are challenged by complicated set ups. If the circumstances force you to go such a crooked path then this is not a security issue, but a political one. Maybe the designer of the system did not want to allow this kind of access. Anyway, with the principles above, access to B and a tool like tcpdump you should get it up and running. cheers Erich |