by wintpe » Feb 20th, '15, 18:47
im not 100% sure ive understood your requirements, so im going to have to guess, apologies if ive got it wrong.
you have a host thats acting as a gateway and vpn server.
it has two nics, one for the vpn to come into (external), and one that the webserver is connected to (dmz or internal)
and a host that is using vpn to connect into 192.168.1.50 cant reach the webserver hanging off the internal interface.
if this is the case, and the reason i think it is is im using exactly the same setup for my mail server,
then adding iptables masquerading to the server with two interfaces on the vpn's incoming interface
means that packets originating from a pc on the other end of the vpn will look like they are coming from the dual homed host, and
will eliminate multihop routing to and from the webserver.
and as masquerading keeps connection tracking, the packets will get rewritten on the way back.
its the simplest way to implement a vpn from say a 3g connection back home through your adsl , through your firewall into a vpn host and gain access to your internal systems, without having a route defined for each destination back via the multihomed host for packets destined for the workstation out on 3g/public wireless access.
ill attempt a horrible diagram, it may not be 100% accurate, but the only way i can describe it.
the bit in bold is the vpn tunnel
web browser -->> into tun0(10.0.0.8) >>>3g/wireless -> out through internet through your isp into adsl --> into firewall --->>> into vpn server ---> tun0 packet exists tun0, heads off to destination -->> internal network -->> webserver ---> reaches destination
webserver tries to return packet to 10.0.0.8 but cant find a route back, so hangs.
add route back through multihomed host, then on mutihomed host add a route back on tun0.
or
if packet gets rewritten on multihomed host through mascurading then when it arrives at webserver, webserver returns to mutihomehost which it already knows as they are on the same network.
when the packet hits network stack and ipfilter its matched against mascuradings tracking table and sent back through tun0 to original host.
regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.