I need route traffic to some host in Internet via VPN server.
Configuration:
Computer:
ubuntu-12.04
eth0 – x.x.x.x/24
tun0 – inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
There is OpenVPN server (Amazon):
ubuntu-12.04
eth0 – y.y.y.y/24
tun0 – inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
There is host in Internet IP: q.q.q.q
I want to traffic to q.q.q.q went throw OpenVPN server. For this I do:
iptables:
I mark packets in table mangle:
sudo iptables -t mangle -A OUTPUT -d q.q.q.q -j MARK --set-mark 2
I send traffic to q.q.q.q throw tun0:
sudo iptables -t nat -A POSTROUTING -d q.q.q.q -j SNAT --to-source 10.8.0.6
iproute2:
I make table "100" in /etc/iproute2/rt_tables
sudo ip rule add fwmark 2 table 100
sudo ip route add default via 10.8.0.5 table 100
tcpdump on 1st computer:
14:22:04.554399 IP 10.8.0.6 > q-q-q-q.clodo.ru : ICMP echo request, id 11717, seq 1, length 64
14:22:04.681918 IP q-q-q-q.clodo.ru > 10.8.0.6 : ICMP echo reply, id 11717, seq 1, length 64
14:22:05.562577 IP 10.8.0.6 > q-q-q-q.clodo.ru : ICMP echo request, id 11717, seq 2, length 64
14:22:05.690240 IP q-q-q-q.clodo.ru > 10.8.0.6 : ICMP echo reply, id 11717, seq 2, length 64
But there is no ping. 2 packets transmitted, 0 received, 100% packet loss..
Best Answer
You don't need to mark the packets, To do what are planing to you need the following
in the server config file add the following:
The above will push the route to the client side so all the traffic sent from the client to that ip will be sent through the openvpn tunnel.
Also at the server side you need to accept the incomming traffic from the client, you can accept all the traffic comming from the client subnet as following
you might also need this not sure:
You need to nat the comming traffic from client to server side [do this on the server side]
And you don't need iproute2 or mangle table.
The order of the rules matter, so please them before a matching drop rule