How to configure iptables to connect to OpenVPN client?

O

Oleg2016-08-18 23:46:07

linux

Oleg, 2016-08-18 23:46:07

Good afternoon!
Usually everyone configures access of OpenVPN clients to the server (it already works for me). And now I need the other way around - RDP access from the server's local network to the connected client.
Tell me, please, how to set everything up correctly?
Available:
1. Home network 192.168.10.0/24 gateway - linux 192.168.10.1
2. OpenVPN server 10.15.0.1 is running on the gateway.
3. There is an OpenVPN client 10.15.0.3 that can RDP one of the machines on the home network, everything else is disabled (at least I hope).
4. Another client is not allowed access to the local network, but the OpenVPN server acts as an Internet gateway for it.
5. From the desired home machine 192.168.10.2, the server 10.15.0.1 is successfully pinged, but not the desired 10.15.0.3 (possibly because the icmp ports for this network are closed on that machine).

[[email protected] ~]$ sudo iptables -t nat -nvL 
Chain PREROUTING (policy ACCEPT 5 packets, 254 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3064  219K MASQUERADE  all  --  *      enp3s0  192.168.10.0/24        0.0.0.0/0           
  375 24138 MASQUERADE  all  --  *      enp3s0  10.15.0.0/24         0.0.0.0/0

[[email protected] ~]$ sudo iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4812  279K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4359K 2020M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 4157  285K fw-interfaces  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 fw-open    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-unreachable

[[email protected] ~]$ sudo iptables -nvL fw-interfaces
Chain fw-interfaces (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   74  3848 ACCEPT     tcp  --  tun0   *       10.15.0.3            192.168.10.20          tcp dpt:3389
 3627  252K ACCEPT     all  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  tun0   *       10.15.0.0/16         192.168.10.0/16       
  460 29487 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

tun0 - OpenVPN interface
enp2s0 - local interface (home network)
enp3s0 - external interface (router)
Along the way, the question is: do I need to close icmp on the external interface of the router (if possible with links to authoritative sources) and if so, how to DROP or REJECT correctly ?

Reply

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)

O

Oleg, 2016-08-24
@Batiskaf_stv

A couple of days later I got together, thought and it turned out in 2 steps:
1. On the OpenVPN client (Windows 7) in the firewall in the add. the settings in the rules allowed RDP for public networks (my VPN connection was listed as "Public Network") ("Remote Desktop Control (TCP - Incoming)" rule).
2. On the gateway in iptables, added the following rule to the fw-interfaces chain:
And everything worked!