#StackBounty: #iptables #openvpn Why does iptables forward from one network but not another?

Bounty: 50

I have LAN (10.20.1.0/24) and WLAN (172.16.20.0/24) traffic arriving on ens32 and destined for 10.21.0.1 via OpenVPN tun0 on a Debian 9 system. iptables is forwarding from LAN, but not from WLAN.

Using a TRACE rule in iptables, I get the following via the LAN:

May 14 15:03:07 vpnsrv kernel: [2357925.893248] TRACE: raw:PREROUTING:policy:2 IN=ens32 OUT= MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893288] TRACE: nat:PREROUTING:policy:2 IN=ens32 OUT= MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893317] TRACE: filter:FORWARD:rule:1 IN=ens32 OUT=tun0 MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893347] TRACE: filter:ufw-before-logging-forward:return:1 IN=ens32 OUT=tun0 MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893365] TRACE: filter:FORWARD:rule:2 IN=ens32 OUT=tun0 MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893388] TRACE: filter:ufw-before-forward:rule:8 IN=ens32 OUT=tun0 MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893404] TRACE: nat:POSTROUTING:policy:3 IN= OUT=tun0 SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 

but only the first part via the WLAN:

May 14 15:08:44 vpnsrv kernel: [2358263.328390] TRACE: raw:PREROUTING:policy:2 IN=ens32 OUT= MAC=... SRC=172.16.20.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57342 DPT=22 SEQ=3290971808 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E5A69C30000000004020000)
May 14 15:08:44 vpnsrv kernel: [2358263.328430] TRACE: nat:PREROUTING:policy:2 IN=ens32 OUT= MAC=... SRC=172.16.20.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57342 DPT=22 SEQ=3290971808 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E5A69C30000000004020000)

Relevant filter rules are:

-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A ufw-before-forward -i ens32 -o tun0 -j ACCEPT

Why doesn’t traffic from WLAN get forwarded?


Get this bounty!!!

#StackBounty: #cisco #openvpn #nat #port-forwarding Port forwarding is not working on CISCO router

Bounty: 50

I have installed Open VPN Access server on a ESXI server.

To access it from outside , I have added port forwarding to CISCO router using following command.

#conf t
#ip nat inside source static tcp 10.201.102.163 443 <MY_EXTERNAL_IP> 443
#ip nat inside source static udp 10.201.102.163 443 <MY_EXTERNAL_IP> 443

There were no errors or any messages after executing these commands.

But when I navigate to https://<MY_EXTERNAL_IP>, I am not able to reach access server?


Get this bounty!!!

#StackBounty: #debian #iptables #routing #openvpn #vpn How to route specific VPN traffic via specific VPN client?

Bounty: 50

I have VPN network based on OpenVPN software. I need route all network traffic in VPN network where destination IP is from specific country via one specific client on this VPN network (VPN client IP address) – Mikrotik router where is configured NAT (MASQUERADE) for main internet interface (PPPoE). I need get public, dynamic IP address owned by this VPN client (Mikrotik router – PPPoE interface) for all this traffic. So on VPN server I created iptables mangle rule and I use geoip iptables module:

iptables -A PREROUTING -t mangle -i tun0 -m geoip --destination-country COUNTRY_CODE -j MARK --set-mark 1

So I have marked all traffic from client which have destination IP from this specific country. Next I have tried use this solution: Create specific route table and add default route. But default route can be only for next hop on this network. So when I use this command:

ip route add default via specific_VPN_client dev tun0 table CountryRoute 

I get this error:

RTNETLINK answers: Network is unreachable

Is possible route specific traffic to specific client, but not to next hop please?

I tried this iptables rule too:

iptables -A PREROUTING -i tun0 -m geoip --destination-country COUNTRY_CODE -j DNAT --to-destination Mikrotik_VPN_IP

But traffic ends on Mikrotik router. Maybe would be possible solve this problem on this router?

Thank you for your help.


Get this bounty!!!

#StackBounty: #windows-8 #vpn #internet #openvpn I can connect to VPN using openvpn but I can't get internet

Bounty: 50

I cannot ping google.com or bing.com while connected to my VPN or access any website. I can connect to my VPN, but I do not have internet access while connected.

Below is what I have tried

  • Disabling windows firewall and comodo firewall
  • Setup my DNS routing to Cloudflare 1.1.1.1 and Google Public DNS 8.8.8.8
  • Uninstalled my wireless driver then installed it again as administrator then uninstall openvpn client and install it again as administrator
  • Make the openvpn client run as administrator
  • Change the interface metric for my wifi adapter to 15 or 350
  • See below

netsh winsock reset
netsh winsock reset catalog
ipconfig /flushdns
ipconfig /release
ipconfig /renew
netsh int ip reset 
netsh int ip reset.log
netsh winsock reset catalog

How can I make my vpn connection have internet. I am using Windows 8.1 64 bit. The VPN connection works on my android phone.


Get this bounty!!!

#StackBounty: #windows-8 #vpn #internet #openvpn I can connect to VPN using openvpn but I can't get internet

Bounty: 50

I cannot ping google.com or bing.com while connected to my VPN or access any website. I can connect to my VPN, but I do not have internet access while connected.

Below is what I have tried

  • Disabling windows firewall and comodo firewall
  • Setup my DNS routing to Cloudflare 1.1.1.1 and Google Public DNS 8.8.8.8
  • Uninstalled my wireless driver then installed it again as administrator then uninstall openvpn client and install it again as administrator
  • Make the openvpn client run as administrator
  • Change the interface metric for my wifi adapter to 15 or 350
  • See below

netsh winsock reset
netsh winsock reset catalog
ipconfig /flushdns
ipconfig /release
ipconfig /renew
netsh int ip reset 
netsh int ip reset.log
netsh winsock reset catalog

How can I make my vpn connection have internet. I am using Windows 8.1 64 bit. The VPN connection works on my android phone.


Get this bounty!!!

#StackBounty: #windows-8 #vpn #internet #openvpn I can connect to VPN using openvpn but I can't get internet

Bounty: 50

I cannot ping google.com or bing.com while connected to my VPN or access any website. I can connect to my VPN, but I do not have internet access while connected.

Below is what I have tried

  • Disabling windows firewall and comodo firewall
  • Setup my DNS routing to Cloudflare 1.1.1.1 and Google Public DNS 8.8.8.8
  • Uninstalled my wireless driver then installed it again as administrator then uninstall openvpn client and install it again as administrator
  • Make the openvpn client run as administrator
  • Change the interface metric for my wifi adapter to 15 or 350
  • See below

netsh winsock reset
netsh winsock reset catalog
ipconfig /flushdns
ipconfig /release
ipconfig /renew
netsh int ip reset 
netsh int ip reset.log
netsh winsock reset catalog

How can I make my vpn connection have internet. I am using Windows 8.1 64 bit. The VPN connection works on my android phone.


Get this bounty!!!

#StackBounty: #windows-8 #vpn #internet #openvpn I can connect to VPN using openvpn but I can't get internet

Bounty: 50

I cannot ping google.com or bing.com while connected to my VPN or access any website. I can connect to my VPN, but I do not have internet access while connected.

Below is what I have tried

  • Disabling windows firewall and comodo firewall
  • Setup my DNS routing to Cloudflare 1.1.1.1 and Google Public DNS 8.8.8.8
  • Uninstalled my wireless driver then installed it again as administrator then uninstall openvpn client and install it again as administrator
  • Make the openvpn client run as administrator
  • Change the interface metric for my wifi adapter to 15 or 350
  • See below

netsh winsock reset
netsh winsock reset catalog
ipconfig /flushdns
ipconfig /release
ipconfig /renew
netsh int ip reset 
netsh int ip reset.log
netsh winsock reset catalog

How can I make my vpn connection have internet. I am using Windows 8.1 64 bit. The VPN connection works on my android phone.


Get this bounty!!!

#StackBounty: #windows-8 #vpn #internet #openvpn I can connect to VPN using openvpn but I can't get internet

Bounty: 50

I cannot ping google.com or bing.com while connected to my VPN or access any website. I can connect to my VPN, but I do not have internet access while connected.

Below is what I have tried

  • Disabling windows firewall and comodo firewall
  • Setup my DNS routing to Cloudflare 1.1.1.1 and Google Public DNS 8.8.8.8
  • Uninstalled my wireless driver then installed it again as administrator then uninstall openvpn client and install it again as administrator
  • Make the openvpn client run as administrator
  • Change the interface metric for my wifi adapter to 15 or 350
  • See below

netsh winsock reset
netsh winsock reset catalog
ipconfig /flushdns
ipconfig /release
ipconfig /renew
netsh int ip reset 
netsh int ip reset.log
netsh winsock reset catalog

How can I make my vpn connection have internet. I am using Windows 8.1 64 bit. The VPN connection works on my android phone.


Get this bounty!!!

#StackBounty: #networking #routing #firewall #openvpn #dhcp DHCP package not transversing tun0 interface

Bounty: 50

I have the following setup on a remote office:

--- vlan interface --- Remote Router --tun0--> Main office Firewall --> Active Directory DHCP

I’m using dhcp3-relay to forward dhcp requests(broadcasts) to my main AD server(unicast). Problem is: dhcp request arrives at the Remote Router vlan interface(broadcast), is correctly forwarded through routing to our AD server, an answer is given but when receiving the packet, it isn’t internally forwarded from tun0 to the vlanXXX interface of the Remote Router where the request originaly came from. Here it is the tcpdump output from the Remote Router.

tun0 interface:

tcpdump -i tun0 -nevvv udp port 67 or 68

13:23:45.049995 Out ethertype IPv4 (0x0800), length 592: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576) IP.VPN.REMOTE.OFFICE.67 > IP.OF.AD.SERVER.67: BOOTP/DHCP, Request from MAC:ADDR:OF:THE:REMOTE:CLIENT, length 548, hops 1, xid 0x2c896edc, secs 11527, Flags [none] (0x0000)
          Gateway-IP IP.OF.NET.GATEWAY
          Client-Ethernet-Address MAC:ADDR:OF:THE:REMOTE:CLIENT [|bootp]

13:23:45.145014  In ethertype IPv4 (0x0800), length 350: (tos 0x0, ttl 125, id 24829, offset 0, flags [none], proto UDP (17), length 334) IP.OF.AD.SERVER.67 > IP.OF.NET.GATEWAY.67: BOOTP/DHCP, Reply, length 306, xid 0x2c896edc, Flags [none] (0x0000)
          Your-IP NEW.LEASE.FROM.AD
          Server-IP IP.OF.AD.SERVER
          Gateway-IP IP.OF.NET.GATEWAY
          Client-Ethernet-Address MAC:ADDR:OF:THE:REMOTE:CLIENT [|bootp]

Here you can see that the packet is correctly forwarded by the dhcrelay software to our main office, and AD gives a new lease to the host. We already have this solution working on other links that are not openvpn based(mpls) to distribute IPs to remote offices.

vlanXXX interface:

tcpdump -i vlanXXX -nevvv udp port 67 or 68

13:21:45.022067 MAC:ADDR:OF:THE:REMOTE:CLIENT > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 147, offset 0, flags [none], proto UDP (17), length 576) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from MAC:ADDR:OF:THE:REMOTE:CLIENT, length 548, xid 0x496364c3, secs 11407, Flags [none] (0x0000)
          Client-Ethernet-Address MAC:ADDR:OF:THE:REMOTE:CLIENT [|bootp]

We can only see the broadcast request comming from the host, but not the answer that arrived at tun0 and should be routed to vlanXXX.

Also, Remote Router is pretty permissive with this protocol:

iptables -A INPUT  -p udp --sport 67:68 --dport 67 -j ACCEPT
iptables -A OUTPUT -p udp --sport 67 --dport 67:68 -j ACCEPT
iptables -A FORWARD -p udp --sport 67:68 --dport 67 -j ACCEPT
iptables -A FORWARD -p udp --sport 67 --dport 67:68 -j ACCEPT

Am I missing something?


Get this bounty!!!

#StackBounty: #linux #networking #openvpn #iptables #raspberry-pi Using Raspberry PI as OpenVPN router for Asterisk

Bounty: 100

So, I’ve been banging my head with this for quite some time.

I have the following configuration:

  • OpenVPN server, IP 1.2.3.1
  • Asterisk server, connected to OpenVPN server, IP 1.2.3.3
  • Raspberry PI, local interface 192.168.0.17, connected to OpenVPN IP 1.2.3.6
  • IP Telephone in the same local network as Raspberry PI, local ip 192.168.0.81

Networks are configured as follows:

  • Local connection on raspberry is eth0
  • Raspberry has additional virtual interface eth0:1 with ip 192.168.0.91
  • OpenVPN connection on raspberry is tun0
  • Telephone has local ip 192.168.0.81 and gateway set to 192.168.0.91 (raspberry)

On the raspberry, iptables is as follows:

#Empty all routing tables
sudo iptables -t nat -F
sudo iptables -F

#Masquerade all traffic leaving tun0 as if coming from 1.2.3.6
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

#redirect all traffic coming from eth0:1 to tun0
sudo iptables -A FORWARD -i eth0:1 -o tun0 -j ACCEPT

#redirect all traffic coming from tun0 to eth0:1
sudo iptables -A FORWARD -i tun0 -o eth0:1 -j ACCEPT

#Modify all packets coming to tun0 to forward then to the IP telephone
sudo iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination 192.168.0.81

So, I can call and I can receive calls (I have another laptop that is connected directly to VPN server and uses Zoiper for test). I can call the telephone and from telephone and audio from telephone to laptop works, but there is no incoming audio on the telephone whatsoever.

What am I doing wrong?


Get this bounty!!!