Linux router

The documentation describes using a computer with a Linux operating system as a router.

You can of course use a custom router within our network. To have a fully working setup we provide some additional hints here on how to configure your linux router.

Within our network it is possible to use an own local subnet. You should use the private address space 172.16.0.0/24 which includes addresses ranging between 172.16.0.0-172.16.0.255. All other private networks might be used by our servers and other internal networks and should not be used!

The router has to establich a VPN connection to the VPN gateway. For all clients located behind, a masquerading should be performed two times:

iptables -t nat -A POSTROUTING -o ppp0 -s 172.16.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j MASQUERADE

The ppp0 device is the VPN dial-up connection and eth0 the external device with the connection to the 10.2.0.0/16 network and IP address out of this range.

This is caused by some badly configured third party firewalls where a Path-MTU-Discovery does not work. Due to the fact that the MTU of a VPN connection is smaller 1500, there can be errors when trying to access such servers. The same problem does exist for DSL connections using PPPOE.

This can be fixed by:

  • lowering the MTU of all clients behind a router, for example to 1400
  • use a proxy server for http traffic
  • change the MTU/MSS on your own router

This can be achieved by an iptables rule:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu