Thursday, July 12, 2007

Client HTTPS traffic with OpenVPN and redirect-gateway

Recently I set up a simple enough vpn with a gentoo/xenplanet hosted openvpn (howto) to secure my wifi traffic from public locations. The problem described here is quite trivial, but its solution wasn't a found in a quick search, hence this post!

Problem: The redirect-gateway configuration option makes all traffic route through the xenplanet box. iptables based masquerading was used to perform SNAT on traffic from openvpn clients however HTTPS was completely broken! The initial TCP connection would go though but as soon as a the SSL connection was initialised by the client the HTTPS server would immediately close the TCP connection.

Extensive Googlin' turned up very little related to openvpn and the resolution of such an issue, although it has been mentioned a number of times in mailing list entries such as here. I changed tack and searched for NAT issues related to tunnels with iptables, striking gold here with a description of a working NAT setup with a CIPE tunnel.

So to get client HTTPS traffic working with an openvpn and redirect-gateway instead of this:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Use these instead:
iptables -t nat -A POSTROUTING -d 192.168.42.0/255.255.255.0 -j RETURN
iptables -t nat -A POSTROUTING -s 192.168.42.0/255.255.255.0 -j SNAT --to-source EXTERNAL_IP_ADDRESS

Where 192.168.42.0 is the internal address range used by openvpn. Also make sure to keep all other NAT rules such as the one for Related and Established connections present in your configuration!

P.S. This is with a non-bridged configuration, using TCP port 443 and TLS on the server.

2 comments:

Anonymous said...

What was teh server running on. I have a similar problem but my server is W2K and my client is XP

David Connolly said...

Hi!

The post describes OpenVPN running on Ubuntu Linux. However I imagine it applies to any linux running an IP Tables firewall.

I've never ran an OpenVPN server from windows, perhaps it is possible to configure a similar type of static network address translation in Windows, but I've no experiance of OpenVPN in Windows.

Best of Luck,
David