Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

Understanding iptables logs with openvpn

by |Published

I have configured an openvpn server (Debian 10) to access a webserver on my local network, everything works as it should, but looking at the iptables log I don’t understand one thing.
This is how I set up the Iptables:

192.168.0.42 = Web-server ip
192.168.0.21 (Current host) = VPN Server ip
10.8.0.6 = Virtual IP address of the remote client (VPN)


*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
...

-A POSTROUTING -s 10.8.0.0/8 -o enp0s3 -j MASQUERADE
COMMIT



*mangle
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
...

-A PREROUTING -p tcp -d 192.168.0.21 -s 192.168.0.42 -j MARK --set-mark 10 

-A POSTROUTING -p tcp -j LOG --log-prefix "[iptables-post] "    --log-prefix 4
-A INPUT       -p tcp -j LOG --log-prefix "[iptables-input] "   --log-prefix 4
-A PREROUTING  -p tcp -j LOG --log-prefix "[iptables-pre] "     --log-prefix 4
-A OUTPUT      -p tcp -j LOG --log-prefix "[iptables-out] "     --log-prefix 4
-A FORWARD     -p tcp -j LOG --log-prefix "[iptables-forward] " --log-prefix 4
COMMIT

As a result, I tracked the marked packet (10) coming from the web server to my vpn server (and back to client) and this is how it goes through Iptables:

*mangle

PREROUTING:        =>     FORWARD:           =>      POSTROUTING:
SRC=192.168.0.42          SRC=192.168.0.42           SRC=192.168.0.42
DST=192.168.0.21          DST=10.8.0.6               DST=10.8.0.6
IN =enp0s3                IN =enp0s3                 IN =
OUT=                      OUT=tun0                   OUT=tun0

I do not understand where the packet will go after the POSTROUTING chain, because the destination address is 10.8.0.6, the server does not know where to redirect it, or does it know where to redirect the packet with the destination address 10.8.0.6? If so, how does the server know this?

Similarly with the FORWARD chain, why did it change from destination address 192.168.0.21 to 10.8.0.6? Shouldn’t it have been redirected to INPUT? because the destination address is 192.168.0.21 – This is the address of the current host (VPN). The last question: Why does the request from the web server only go to the FORWARD chain? Shouldn’t the VPN server encrypt the data before transmitting it to the client? I do not quite understand this, I have been looking for answers for a long time, but I still have not found an answer, I will be very glad if someone can help figure it out.

This is what my routing table looks like:

Destination     Gateway        Genmask          Iface

default         192.168.0.1    0.0.0.0          enp0s3
10.8.0.0        10.8.0.2       255.255.255.0    tun0
10.8.0.2        0.0.0.0        255.255.255.255  tun0
192.168.0.0     0.0.0.0        255.255.255.0    enp0s3

OpenVPN server.conf:

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.0.42 255.255.255.255"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0
   tls-version-min 1.3
cipher AES-256-GCM
auth SHA256
max-clients 2
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
explicit-exit-notify 0
tcp-queue-limit 256

You may also like