Iptables – Routing through OpenVPN gateway

iptablesopenvpnroutingvpn

I have the following setup:

++++++++++++++++++
+ OpenVPN server +........ . .  .   .   (cat pictures)  
++++++++++++++++++
  |
  |
__|__________________________________________Internet________________
  |                                           Local
  | DSL
  |
++++++++++++++++++             +++++++++++++++++++
+ router1        +  Ethernet   + router2         +
+ DHCP serving   +-------------+ DHCP serving    +
+ 192.168.1.1/24 +        eth0 + 10.0.0.1/24     +
++++++++++++++++++             + OpenVPN client  +
  .                            + hostapd/dnsmasq +
  .                            +++++++++++++++++++
  .                              . wlan0
  .                              .
  .  WLAN 1                      .  WLAN 2
  .                              .
 (wifi clients 1)                (wifi clients 2)

The intention of this is to have a seperate WLAN 2 to which wifi clients can connect to and get all their traffic to the internet routed through the OpenVPN connection of router2.

router2 runs a hostapd instance with a fairly minimal setup on interface wlan0. dnsmasq.conf is also pretty minimal with:

interface=wlan0
dhcp-range=10.0.0.1,10.0.0.254,12h
no-host

This runs fine. I can connect to the wifi and get assigned an IP address.

OpenVPN is setup and working as well. I'm connecting to a commercial VPN service, so server config is not under my control. OpenVPN is using tun0.

How can I route all request to the internet from wifi clients 2 through the established OpenVPN connection on router2? I'm guess I have to setup the routing table now, but how?

route says:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.200.4.1      128.0.0.0       UG    0      0        0 tun0
default         router1         0.0.0.0         UG    0      0        0 eth0
10.0.0.0        *               255.0.0.0       U     0      0        0 wlan0
10.200.4.0      *               255.255.252.0   U     0      0        0 tun0
<vpn server ip> router1         255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.200.4.1      128.0.0.0       UG    0      0        0 tun0
link-local      *               255.255.0.0     U     1002   0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

Best Answer

Has the OpenVPN server been setup to route the 10.0.0.1/24 network to router2? What happens if the OpenVPN server pings 10.0.0.1?

If you want hosts on the other side of the VPN to have the ability to making incoming connections then you will need to fix your VPN server.

If this is only outbound traffic, then you probably need to setup NAT. So packets from the 10.0.0.0/24 network appear to come from the VPN interface.

A rule like iptables -t nat -A POSTROUTING -o tun1 -j SNAT --to-source 10.200.4.1

Related Solutions

Linux – Port forward + openVPN + iptables

Try these rules on your gateway:

-A PREROUTING -i $VPN_INTERFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination $INTERNAL_IP_DESTINATION:80
-A POSTROUTING -o $VPN_INTERFACE -j SNAT --to-source $VPN_IP_OF_SERVER
-A POSTROUTING -o $LAN_INTERFACE -j SNAT --to-source $LAN_IP_OF_SERVER

1st. one makes the port forwarding.
2nd. makes the source nat so every packet comming out of the VPN uses the server IP
3rd. makes the packets forwarded to the internal IP, have the soure nat of the server lan ip

Anonymizing OpenVPN and Allowing SSH Access to Internal Server

To resolve this issue you will need to set up both iptables and routing rules. The specific problem you're encountering is that outgoing SSH packets are being routed via your anonymous VPN tunnel interface instead of your Ethernet interface. This is happening because your VPN software set up a routing rule to send any and all unhandled traffic via the tunnel interface. Good for anonymizing your network traffic; bad for establishing SSH connections to your computer.

There are a few ways to fix this problem, but I will share with you the one which worked for me in an identical situation. Here's what we need to do:

Create a new IP rule table to handle non-VPN traffic
Add an IP rule to lookup our no-VPN table for any packets marked with a specific netfilter mask
Add an IP route which directs all traffic in our no-VPN table to use your Ethernet interface instead of the tunnel
Add an iptables rule to mark all SSH traffic with our designated netfilter mask

Note: I was working with Raspbian while doing the following, so you might need to adjust the commands a little to fit your distro.

Creating a new IP rule table

Begin by inspecting iproute2's table definition file. We want to make sure we don't use the name or number of any existing rule tables.

cat /etc/iproute2/rt_tables

You'll likely see something along these lines:

# reserved values
255      local 
254      main
253      default   
0        unspec
#
# local
#
#1      inr.ruhep

Pick an arbitrary number and name for your new rule table -- anything not used above. I will use number 201 and name novpn for the remainder of this answer.

Append a definition directly to the definition file or edit it in the text editor of your choice:

echo "201 novpn" >> /etc/iproute2/rt_tables

Add a new IP rule to lookup the no-VPN table

Check for any existing ip rules that deal with netfilter masks:

ip rule show | grep fwmark

If grep turns up nothing, you're in the clear. If it does print some lines, take note of the hexadecimal number to the right of the word fwmark in each line. You will need to pick a number that is not currently in use. Since I had no existing fwmark rules, I chose the number 65.

ip rule add fwmark 65 table novpn

What this does is cause any packets with netfilter mask 65 to lookup our new novpn table for instructions on how to route the packets.

Direct all traffic in our new table to use the Ethernet interface

ip route add default via YOUR.GATEWAY.IP.HERE dev eth0 table novpn

The important thing to note here is dev eth0. This forces all traffic that passes through the novpn table to only use the hardware Ethernet interface, instead of the virtual tunnel interface that your VPN creates.

Now would be a good time to flush your iproute cache, to make sure your new rules and routes take immediate effect:

ip route flush cache

Instruct firewall rule to mark all SSH traffic with the designated netfilter mask

iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65

There are too many options here for me to explain in any great depth. I strongly encourage you to read the manual page for iptables to get a sense of what's going on here:

man iptables

In a nutshell: we are appending an output rule to the firewall's mangle table (for specialized packet handling) that instructs it to mark any TCP packets originating from source port 22 with our designated netfilter mask 65.

What next?

At this point, you should be ready to test SSH. If all goes well, you should be met with the happy "login as" prompt.

For security's sake, I recommend you instruct your firewall to drop any incoming SSH requests from the tunnel interface:

iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP

Note that the all of the instructions above are transient (except for the creation of the rule table ID) -- they will clear the next time you restart your computer. Making them permanent is an exercise I leave to you.