Answer the question
In order to leave comments, you need to log in
O
O
Oleg2016-08-18 23:46:07
Oleg, 2016-08-18 23:46:07
How to configure iptables to connect to OpenVPN client?
Good afternoon!
Usually everyone configures access of OpenVPN clients to the server (it already works for me). And now I need the other way around - RDP access from the server's local network to the connected client.
Tell me, please, how to set everything up correctly?
Available:
1. Home network 192.168.10.0/24 gateway - linux 192.168.10.1
2. OpenVPN server 10.15.0.1 is running on the gateway.
3. There is an OpenVPN client 10.15.0.3 that can RDP one of the machines on the home network, everything else is disabled (at least I hope).
4. Another client is not allowed access to the local network, but the OpenVPN server acts as an Internet gateway for it.
5. From the desired home machine 192.168.10.2, the server 10.15.0.1 is successfully pinged, but not the desired 10.15.0.3 (possibly because the icmp ports for this network are closed on that machine).
[[email protected] ~]$ sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 5 packets, 254 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3064 219K MASQUERADE all -- * enp3s0 192.168.10.0/24 0.0.0.0/0
375 24138 MASQUERADE all -- * enp3s0 10.15.0.0/24 0.0.0.0/0[[email protected] ~]$ sudo iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4812 279K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4359K 2020M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4157 285K fw-interfaces all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fw-open all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable[[email protected] ~]$ sudo iptables -nvL fw-interfaces
Chain fw-interfaces (1 references)
pkts bytes target prot opt in out source destination
74 3848 ACCEPT tcp -- tun0 * 10.15.0.3 192.168.10.20 tcp dpt:3389
3627 252K ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- tun0 * 10.15.0.0/16 192.168.10.0/16
460 29487 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0tun0 - OpenVPN interface
enp2s0 - local interface (home network)
enp3s0 - external interface (router)
Along the way, the question is: do I need to close icmp on the external interface of the router (if possible with links to authoritative sources) and if so, how to DROP or REJECT correctly ?
[[+comments_count]] answer(s)
@Batiskaf_stv
O
Oleg, 2016-08-24 @Batiskaf_stv
A couple of days later I got together, thought and it turned out in 2 steps:
1. On the OpenVPN client (Windows 7) in the firewall in the add. the settings in the rules allowed RDP for public networks (my VPN connection was listed as "Public Network") ("Remote Desktop Control (TCP - Incoming)" rule).
2. On the gateway in iptables, added the following rule to the fw-interfaces chain:
And everything worked!
Similar questions
G
R
J
A
aroun2017-08-16 22:05:53
How to direct requests to dns depending on the subnet of the requester?
1Reply
A
AntonIgin2017-08-17 09:56:55
502 Bad Gateway instead of Welcome to Nginx - what's the problem?
1Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question