Guest machine cannot reply via host's VPN

Tue, 10 Dec 2024 00:18:12 -0800 

Hi all,
I'm transitioning to QEMU from Virtualbox and have so far migrated one machine (home assistant OS [linux] guest). It's been working OK, but there's one issue I can't solve: when I connect to the host (openvpn server) via VPN from external network, the guest cannot reply to me ("connection reset by peer"). 


Inside LAN, everything works fine (guest can see and reply to requests), 
the guest can also access the web - it just doesn't see the 10.8.0.0/16 
network that VPN TUN uses.
From virtualbox, it also saw the VPN net (I set up a virtualbox 
"bridge" and let it do the magic automatically) but here it does not.


I guess I'm missing a route or forward rule?

Thanks,

May

--
Some further details:


|QEMU/VPN/Virtualbox HOST IP: 192.168.99.20 QEMU guest static IP: 
192.168.99.19 OPENVPN net: 10.8.0.0/24 |Guest has a guest-specific network (no QEMU "default"): iface 
type:bridge, source vridge: br0, target dev=vnet2, model=virtio physical 
device enp1s0 is enslaved to br0 bridgeopenvpn creates TUN0 network



|root@R3:~# nmcli connection show NAME UUID TYPE DEVICE br0 
c66d9827-b2f3-4ab3-bfdd-6d1e5ffe383e bridge br0 10G-BR 
08aa8e2b-df95-408d-aeb2-a7f2b04ebf23 ethernet enp1s0 lo 
e886dbf1-d7fd-4af3-a796-3e03a905db70 loopback lo tun0 
52629a83-8049-4f8e-992b-2a720abbf857 tun tun0 vnet2 
cc718301-2dc7-4691-afb4-dcc4f6e6e317 tun vnet2 root@R3:~# ip addr 1: lo: 
<LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 
inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft 
forever 2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc 
fq_codel state DOWN group default qlen 1000 link/ether 04:92:26:d1:21:4a 
brd ff:ff:ff:ff:ff:ff 3: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 
1500 qdisc mq master br0 state UP group default qlen 1000 link/ether 
74:fe:ce:ea:d6:dc brd ff:ff:ff:ff:ff:ff 13: br0: 
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group 
default qlen 1000 link/ether ea:6e:5b:0a:b2:ff brd ff:ff:ff:ff:ff:ff 
inet 192.168.99.20/24 brd 192.168.99.255 scope global noprefixroute br0 
valid_lft forever preferred_lft forever inet6 
2a00:ee2:1205:fc00:6e3:89aa:7e1d:f181/64 scope global temporary dynamic 
valid_lft 889sec preferred_lft 889sec inet6 
2a00:ee2:1205:fc00:210f:23c8:b78a:3007/64 scope global dynamic 
mngtmpaddr noprefixroute valid_lft 889sec preferred_lft 889sec inet6 
fe80::cfb8:a019:63af:9832/64 scope link noprefixroute valid_lft forever 
preferred_lft forever 16: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 
1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000 
link/ether fe:54:00:72:34:28 brd ff:ff:ff:ff:ff:ff inet6 
fe80::fc54:ff:fe72:3428/64 scope link valid_lft forever preferred_lft 
forever 17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 
qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 
10.8.0.1/24 scope global tun0 valid_lft forever preferred_lft forever 
inet6 fe80::ae8f:b2f9:8f98:a495/64 scope link stable-privacy valid_lft 
forever preferred_lft forever root@R3:~# route Kernel IP routing table 
Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 
0.0.0.0 UG 425 0 0 br0 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 
192.168.99.0 0.0.0.0 255.255.255.0 U 425 0 0 br0 |




And finally, some firewall rules on the host to make both LAN and WAN 
accessible via VPN:



|root@R3:~# iptables -A FORWARD -o br0 -i tun0 -s 10.8.0.0/24 -m 
conntrack --ctstate NEW -j ACCEPT root@R3:~# iptables -A FORWARD -m 
conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT root@R3:~# iptables -t 
nat -A POSTROUTING -o br0 -j MASQUERADE |













    











					Reply via email to