Hi Eric thank you for helping me!
> > I am following this tutorial[1] to set up OpenVPN. It
suggests running
> > both of the following commands:
> >
> > sudo firewall-cmd --permanent --add-masquerade
> > sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
> > POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
>
> I tested to find that openvpn tunnel is working ONLY if I use first command,
> 2nd command having no effect.
>
> I found reason is --add-masquerade also adds a FORWARD rule, this seems
> broad, no?
It should be limited by the output interface.
But the add-masquerade command does not accept interface argument
right? I think I can narrow it by managing zones, but the command
would appear more useful to me if it had a interface argument. Still,
I don't want to masquerade any traffic except that which comes from
the openvpn subnet and leave everything else alone. So to me even
limited by zone or interface, add-masquerade is unecessarily broad so
I forced to consider a passthru to tighten it up or another solution
like SNAT. Would love to see a more powerful add-masquerade command
> > Regard to the -o eth1 I have multiple public IP address with
each has
> > its own interface. How do I force to NAT and MASQUERADE the openvpn
> > subnet to the IP address (interface) of my choice? Is -o eth1 detecting
> > traffic that is already routed out interface eth1? If yes, where does
> > the routing happen? If no, can I change -o eth2 to get what I want? (BTW
> > openvpn only listening on port 1194 for IP address thats on eth2.)
I don't know how iptables selects which IP to use. Nor could I find any
documentation.
Hmm it must require a PREROUTING rule or something else. Using SNAT
helps me avoid getting too convoluted.
> I was reading to find that I might can use SNAT that would answer
all my
> questions: no worry about MASQUERADE problems and choose the external IP
> address I want. Is that correct thinking?
masquerade is typically for situations where your IP address may change.
If yours doesn't change, then regular SNAT may be better for you.
OK
> I found this work:
>
> sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s
> 10.8.0.0/24 -j SNAT --to-source x.x.x.x
> sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0
> -j ACCEPT
>
> I wanted to ask:
> * Is it important to add "-o eth1" to SNAT command? Is it OK to leave
away?
It's probably a good idea. Otherwise the SNAT may accidentally apply to
internal traffic.
I haven't seen a problem with that, but maybe I don't understand you.
I got on the VPN and requested a web resource from a webserver running
on the same machine and the IP is reflected as that of the VPN. Can
you help sketch the details of the potential problem you mention?
> * Is FORWARD rule too broad, are there risks? Should I add any of
the
> following or are they redundant?
> -s 10.8.0.0/24
> -o eth1
> -m state --state NEW
I think it would be fine to add these. The risk depends on your network
setup.
In general is there any impact on performance to add more rules that
ultimately make no difference to the result? Or is it so insignificant
that adding more specificity can ensure no unwanted side effects of
rules that are too loose?
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's
hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!