OpenVPN – Masquerade Iptable Issues

So if you’ve haven’t been following what I’ve been working on.. I’ve been working on a OpenVPN system on a Gentoo Linux firewall where remote users can connect and access files, but have the ability to authenticate against PAM as well as shared keys (dual layer authentication).

Most of the how-to documentation out there talk about a few iptable rules to put in place on your tap interface (link)….

IPT=/sbin/iptables LANIFACE=eth0 VPNIFACE=tap0 VPN=10.1.0.0/24 $IPT -A INPUT -i $VPNIFACE -j ACCEPT $IPT -A FORWARD -i $VPNIFACE -j ACCEPT $IPT -t nat -A POSTROUTING -s $VPN -o $LANIFACE -j MASQUERADE

Most of the how-to documentation out there talk about a few iptable rules to put in place on your tap interface (link)….

Now this works great, if only one user is coming in. I discovered this while doing some tests. The problem is that we’re masquerading so our internal IP appears to be the inside interface of the firewall. Again, this is fine if it’s just you and no one else, but if I have I users, we run into problems.

Currently, we established a pool of VPN IPs with out openvpn.conf:

ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client

Now to be able to use these pools, we need to change our masquerading to a plain forward. Also, I added more restrictions to the ACCEPT rules verifying that the source is from the VPN.

$IPT -A INPUT -i $VPNIFACE -s $VPN -j ACCEPT $IPT -A FORWARD -i $VPNIFACE -s $VPN -j ACCEPT $IPT -A FORWARD -i $VPNIFACE -s $VPN -j ACCEPT

Now our source IP will be one of the IPs in the pool. You may need to change ACLs in your inside network to accept the VPN IPs. For example, in my samba comf, I was only allowing 10.0.0 IPs, and of course this will give us problems in the VPN.