How to fix routing problems with OpenVPN and DMZs

December 13, 2011

Using OpenVPN to connect different DMZ can cause trouble because the OpenVM is located in the same DMZ as the web server. IP packets will be sent not using the default gateway. As a result of this, the web server does not know about the VPN client network and the answer packets are blocked by the iptables based firewall. This is how you can fix this problem:

Your network setup

We have different DMZ networks separated by an iptables based firewall:

We configured an OpenVPN server running on CentOS 5.7 for our VPN clients. The VPN server works as a normal router – we don’t use NAT/masquerading. The VPN clients can access a web server located in the same DMZ as the OpenVPN server.

Problem with OpenVPN

Because the OpenVPN server is located in the same DMZ as the web server, IP packets will be sent out directly – not using the default gateway (firewall):

Since the web server does not know about the VPN client network, it will send the answer through the firewall. There answer packets will be blocked by the iptables based firewall, because the packet does not belong to a valid connection.

Solution

Configure IP source routing on the OpenVPN server, so all packets from the VPN client must be routed through the firewall.

Configuration of the VPN server

Info:

  • one ethernet interface (eth0) only
  • Default GK (firewall): 192.168.244.1
  • VPN-Net for the VPN clients: 10.0.0.0/16

/etc/sysctl.conf

/etc/iproute2/rt_tables

/etc/sysconfig/network-scripts/route-eth0

/etc/sysconfig/network-scripts/rule-eth0

Finally, restart the network:

To verify the setup, check your firewall log for incoming packets from the VPN clients to the web server.

This page: Print Send by email Share on: