Nat Openvpn-Clients through a linux machine

Some essential steps to get openvpn-roadwarrior-clients to use the openvpn-server as a default gateway for internet access (using centos):

set ip_forward to 1 on the server to enable traffic forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

poke some holes and paths into iptables:
(assuming your openvpn-server is bound to 10.8.0.0 and eth0 is your server´s inet-interface)
(make sure your openvpn uses network adresses no one other uses otherwise you get routing problems when your clients are in a wlan that uses the same ip´s as your tunnel)

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

make those iptables rules survive reboot:
put rules in

rc.local

make dns requests beeing answered by your server to the clients: install dnsmasq
put openvpn ip in dnsmasq config as listening interface

modify openvpn.conf (forget server.conf) on the server, add the following if not yet present:
(the following assumes you got a working server-conf already! push-command will modify clients routing tables)

#assign ip and port to server
server 10.8.0.0 255.255.255.0
port 1234
#ping clients to avoid tunnel breakdowns which would lead to traffic changing ip all of a sudden
keepalive 10 120
#not sure which one of those two is effecitve, so left both
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
#make clients use dnsmasq 
push "dhcp-option DNS 10.8.0.1"
#make clients use vpn-server as network gateway; this avoids the need to fidle with your clients routing tables, if redirect-gateway didnt do what it should
push "route 10.8.0.0 255.255.255.0"
#add the following if your clients should be able to reach each other
client-to-client
#following are disabled, many suggest some of them, dont know if really useful
#tun-mtu 1492
#fragment 1300
#mssfix
#adjust following to your needs - a lot is logged in /var/log/messages anyway
status /var/log/openvpn.log
verb 4

simple client config for openvpn (windows) or tunnelblick (mac) suffices:

#never tcp, tcp over tcp is bullshit
proto udp 
dev tap 
ns-cert-type server
tls-client
client
mssfix
remote <ip of server> <port of server>
ca <path/file>
cert <path/file>
key <path/file>

if using android as a client (cyanogenmod got openvpn built in) be sure to convert your keys to a p12 file by converting and renaming to .p12, for win i.e.:
(first import certificate into certmgr then export then rename to .p12)
http://www.abtevrythng.com/2010/06/adding-cer-certificates-on-your-android.html
or this in linux
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name client -out certs.p12
http://forum.xda-developers.com/showthread.php?t=1061946&page=1173
my cyanogenmod 7.1 need a “modprobe tun” to make openvpn work (even when using tap), so be sure to make that on boot:
http://wiki.cyanogenmod.com/wiki/OpenVPN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s