D
D
Dmitry I2019-01-10 22:34:02
linux
Dmitry I, 2019-01-10 22:34:02

How to configure linux firewall to route traffic from ppp* interfaces to LAN?

Good evening.
There is a router on Debian and a pptpd server.
How to set up the Firewall so that each VPN client has access to the local network, router, and most importantly, access to the Internet from a remote host?
GRE and TCP-1723 ports are forwarded, devices connect, but do not see the remote LAN.
IP addresses to VPN clients are issued from the same subnet as in LAN.
Local subnet 192.168.10.0/24.
The idea is that the server with the VPN is configured in such a way that it allows you to bypass all the blocks through TOR, and the idea is that the smartphone connects to the server and gains access to the Internet bypassing the blocks.
5c379e26a84a8244141058.png

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Andrej Gessel, 2019-01-11
@andiges

hint000 ,
totally agree, it's worth checking and maybe adding to the question. It is also interesting where the dhcp server is installed, whether address collisions happen if two different servers distribute addresses from the same network. And while I was writing this, I thought about routing, it turns out that the network 192.168.10.0/24 is available through 2 interfaces, which means it is entered into the routing table 2 times. So, when the kernel checks where to put the packet, it always takes one of the 2 roots, and I will assume that one of them has a lower metric (root to the local network), which means it is always used.
It turns out the following: the client sends a ping to the client on the local network via vpn, that is, the packet goes from the address, say 192.168.10.4 to 192.168.10.3, arrives at the server, the server checks the routes, selects the best one, sends it to the client in the LAN, it accepts, sends a response via its standard root, the answer comes to the server and then an error occurs, the server again looks for the best root for the network 192.168.10.0 and again finds the root in the local network. This can be checked fairly easily by running tcpdump to listen for pings on all client servers.
Bottom line: try to use another network, check the roots, maybe add them here to check.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question