4

I have set up 2 VPN servers in 2 different locations (A running strongswan as server and openvpn as client; B running openvpn as server), And A and B is linked via openvpn. What I want to do is to make A route all client traffic to port 443 and 80 through the openvpn tunnel established between A and B.

I have added a routing table which will route all marked traffic (-t mangle PREROUTING -p tcp -m tcp --dport 443 -j MARK --set-xmark 0x2/0xffffffff) to the openvpn tunnel

I can see the marked traffic is successfully routed to the tunnel using tcpdump (tcpdump -i tun0) but there is only outgoing traffic and no incoming traffic.

Hope someone can help me with this. Thank you!

JIA
  • 51

1 Answers1

1

The problem here is that although clients of A (let's call them X, Y, Z) can route to B via your VPN link, there is no route from B back to clients X, Y, Z.

Without specifics it's tricky to provide an exact solution. Consider this example, though:

  1. Your clients are in subnet 192.168.1.0/24
  2. Server A has its end of the OpenVPN link as 192.168.2.1
  3. Server B has its end of the OpenVPN link as 192.168.2.2

On B you need to add a route to 192.168.1.0/24 via A:

route add -net 192.168.1.0/24 gw 192.168.2.1
Chris Davies
  • 116,213
  • 16
  • 160
  • 287
  • i added a route back to the client ip.Now i can see incoming traffic but data length of both directions is zero. why? – JIA May 25 '15 at 06:31
  • @Benson what do you mean by "data length"? – Chris Davies May 25 '15 at 07:38
  • it's something like this: ack 7802, win 63136, length 0.i've got this far: the client can connec to strongswan running on A and openvpn client on A also successfully established a tunnel with B via openvpn. local traffic originating from A are able to go through the tunnel. But i'm stuck at routing VPN client's web traffic through the openvpn tunnel to the internet. Please suggest a solution. – JIA May 25 '15 at 13:49
  • @Benson you need to add appropriate default routes. – Chris Davies May 26 '15 at 20:20