There are times when you might like to use the Lighthouse VPN (lhvpn) tunnel as a path for services like RADIUS, TACACS+ authentication, SYSLOG destination, etc. This is especially useful when the LTE interface of your Opengear node has no route to your internal servers.
The example below will forward syslog messages to a syslog server.
1. Login to the Lighthouse CLI as root, or as a Lighthouse Administrator user, run:
sudo -i
2. Create a firewall-post script directory:
mkdir -p /etc/config/scripts
3. Create a firewall script:
vim /etc/config/scripts/firewall-post
4. Add the following- changing addresses, services, protocol and port numbers - to suit your environment:
#!/bin/bash
SYSLOG_IP=192.168.254.30
SYSLOG_PORT=514
SYSLOG_PROTOCOL=udp
LH_IP=192.168.123.201
iptables -A PREROUTING -t nat -i tun+ -p ${SYSLOG_PROTOCOL} --dport ${SYSLOG_PORT} -j DNAT --to ${SYSLOG_IP}:${SYSLOG_PORT}
iptables -I FORWARD 1 -i tun+ -o net1 -p ${SYSLOG_PROTOCOL} --dport ${SYSLOG_PORT} -d ${SYSLOG_IP} -j ACCEPT
iptables -A POSTROUTING -t nat -o net1 -j SNAT --to ${LH_IP}
5. Save the file and then run:
chmod +x /etc/config/scripts/firewall-post
6. Force a rerun of the firewall by running:
configurator_firewall --force
7. Verify that the firewall rules are inserted by running:
iptables -t nat -vnL
You should see something like what's listed below
Chain PREROUTING (policy ACCEPT 820 packets, 147K bytes)
pkts bytes target prot opt in out source destination
11 1607 DNAT udp -- tun+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 to:192.168.1.113:514
Chain INPUT (policy ACCEPT 44 packets, 2310 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 144 packets, 8238 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 136 packets, 7072 bytes)
pkts bytes target prot opt in out source destination
19 2773 SNAT all -- * net1 0.0.0.0/0 0.0.0.0/0 to:192.168.1.186
8. Configure the Opengear node to use Lighthouse as it's syslog server. From the CLI of the Opengear node run:
config -s config.syslog.loglevel=debug
config -s config.syslog.repeat=on
config -s config.syslog.servers.server1.address=192.168.128.1
config -s config.syslog.servers.server1.loglevel=debug
config -s config.syslog.servers.server1.port=514
config -s config.syslog.servers.server1.protocol=udp
config -s config.syslog.servers.total=1
config -r systemlog
The example below will forward authentication requests to a RADIUS server.
Replace Step 4 with the code below changing addresses, services, protocol and port numbers - to suit your environment: and proceed with step 5 to 7.
#!/bin/bash
RADIUS_IP=192.168.254.30
RADIUS_PORT=1812
RADIUS_PROTOCOL=udp
LH_IP=192.168.123.201
iptables -A PREROUTING -t nat -i tun+ -p ${RADIUS_PROTOCOL} --dport ${RADIUS_PORT} -j DNAT --to ${RADIUS_IP}:${RADIUS_PORT}
iptables -I FORWARD 1 -i tun+ -o net1 -p ${RADIUS_PROTOCOL} --dport ${RADIUS_PORT} -d ${RADIUS_IP} -j ACCEPT
iptables -A POSTROUTING -t nat -o net1 -j SNAT --to ${LH_IP}
Step 8. Configure the Opengear node to use Lighthouse IP 192.168.128.1 as it's RADIUS server.
The example below will forward authentication requests to a TACACS server.
Replace Step 4 with the code below changing addresses, services, protocol and port numbers - to suit your environment: and proceed with step 5 to 7.
#!/bin/bash
TACACS_IP=192.168.254.30
TACACS_PORT=49
TACACS_PROTOCOL=tcp
LH_IP=192.168.123.201
iptables -A PREROUTING -t nat -i tun+ -p ${TACACS_PROTOCOL} --dport ${TACACS_PORT} -j DNAT --to ${TACACS_IP}:${TACACS_PORT}
iptables -I FORWARD 1 -i tun+ -o net1 -p ${TACACS_PROTOCOL} --dport ${TACACS_PORT} -d ${TACACS_IP} -j ACCEPT
iptables -A POSTROUTING -t nat -o net1 -j SNAT --to ${LH_IP}
Step 8. Configure the Opengear node to use Lighthouse IP 192.168.128.1 as it's TACACS server.
From remote authentication server point of view, all node authentication will appear to come from Lighthouse server IP.
Comments
0 comments
Article is closed for comments.