Forward eth0 to tun0 but stop forwarding when VPN is down
Posted: Sat Oct 01, 2016 6:32 pm
Hi All,
I have setup OpenVPN on a Raspberry PI as a client because I want to route a couple of machines in my network trough it. (the rest of my machines will go trough a different and default gateway on my network).
So my setup is fairly simple like so: laptop -> raspbery pi (with ovpn connection) -> VPN endpoint.
What I wish to accomplish is that when my VPN drops, the raspberry stops forwarding traffic.
I have succesfully setup the client and forwarding (and I can see the laptop gets the VPN IP) but when I kill the VPN (tun0), the raspberry forwards everything to my other (default) gateway and thus the laptop gets the normal address. So basically, I only want the raspberry to forward connections to the internet and over tun0 as long as the vpn connection is up.
These are the steps I took (and in fact forwarding is working fine... the problem is just that it doesnt stop when the VPN goes down
)
In my ovpn client config I have set "redirect-gateway def1"
I have enabled ip_forwarding
And I have added a couple of simple firewall rules like so:
iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
iptables -I FORWARD 1 -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
Fowarding works like a chaorms but any idea's how I can stop forwarding when the VPN drops??
Also, can I make the firewall a bit more secure because anyone from the VPN network can access my LAN now (I think?)
My ip config when the VPN is up looks like this:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:10:f7:f3 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.55/24 brd 192.168.50.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe10:f7f3/64 scope link
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.106 peer 10.8.0.105/32 scope global tun0
valid_lft forever preferred_lft forever
We can assume the pub IP of the VPN is 120.120.120.120
My routing table with VPN enabled look like this:
root@raspberrypi:/home/pi# ip r
0.0.0.0/1 via 10.8.0.105 dev tun0
default via 192.168.50.1 dev eth0
10.8.0.105 dev tun0 proto kernel scope link src 10.8.0.106
128.0.0.0/1 via 10.8.0.105 dev tun0
120.120.120.120 via 192.168.50.1 dev eth0
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.55
Maybe it works by changing the defaul route which is my isp router and when the tun0 goes down it just forwards it there? Problem is, the tun0 local ip always changes so I cannot add some kind of static route...? Can I do something with a if_down script or something? Like disable ip_forwarding?
Hope someone can help, much appreciated!
Lawk
I have setup OpenVPN on a Raspberry PI as a client because I want to route a couple of machines in my network trough it. (the rest of my machines will go trough a different and default gateway on my network).
So my setup is fairly simple like so: laptop -> raspbery pi (with ovpn connection) -> VPN endpoint.
What I wish to accomplish is that when my VPN drops, the raspberry stops forwarding traffic.
I have succesfully setup the client and forwarding (and I can see the laptop gets the VPN IP) but when I kill the VPN (tun0), the raspberry forwards everything to my other (default) gateway and thus the laptop gets the normal address. So basically, I only want the raspberry to forward connections to the internet and over tun0 as long as the vpn connection is up.
These are the steps I took (and in fact forwarding is working fine... the problem is just that it doesnt stop when the VPN goes down
)In my ovpn client config I have set "redirect-gateway def1"
I have enabled ip_forwarding
And I have added a couple of simple firewall rules like so:
iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
iptables -I FORWARD 1 -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
Fowarding works like a chaorms but any idea's how I can stop forwarding when the VPN drops??
Also, can I make the firewall a bit more secure because anyone from the VPN network can access my LAN now (I think?)
My ip config when the VPN is up looks like this:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:10:f7:f3 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.55/24 brd 192.168.50.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe10:f7f3/64 scope link
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.106 peer 10.8.0.105/32 scope global tun0
valid_lft forever preferred_lft forever
We can assume the pub IP of the VPN is 120.120.120.120
My routing table with VPN enabled look like this:
root@raspberrypi:/home/pi# ip r
0.0.0.0/1 via 10.8.0.105 dev tun0
default via 192.168.50.1 dev eth0
10.8.0.105 dev tun0 proto kernel scope link src 10.8.0.106
128.0.0.0/1 via 10.8.0.105 dev tun0
120.120.120.120 via 192.168.50.1 dev eth0
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.55
Maybe it works by changing the defaul route which is my isp router and when the tun0 goes down it just forwards it there? Problem is, the tun0 local ip always changes so I cannot add some kind of static route...? Can I do something with a if_down script or something? Like disable ip_forwarding?
Hope someone can help, much appreciated!
Lawk
