Linux router

The documentation describes using a computer with a Linux operating system as a router.

Of course you can use a custom router in the StudNet. To have a fully working setup we provide some additional hints here on how to configure your linux router.

In our network you can use your own local subnet. You should use the IP address space 172.16.0.0/24 as private network. That includes all IPs ranging between 172.16.0.0-172.16.0.255. All other private IP address spaces are used by our servers or by other internal networks and should not be used!

The router has to establish a VPN connection to the VPN gateway. For all clients located behind, a masquerading should be performed two times:

iptables -t nat -A POSTROUTING -o ppp0 -s 172.16.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j MASQUERADE

The ppp0 is the device with the VPN dial-in connection and eth0 is the external device with an IP address of the IP address space 192.168.0.0/16 .

This is caused by some badly configured third party firewalls where a Path-MTU-Discovery does not work. Due to the fact that the MTU of a VPN connection is smaller 1500, there can be errors when trying to access such servers. The same problem does exist for DSL connections using PPPOE.

This can be fixed by:

  • lowering the MTU of all clients behind a router, for example to 1400
  • use a proxy server for http traffic
  • change the MTU/MSS on your own router

This can be achieved by an iptables rule:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu