I have a fully functional OpnVPN server (10.0.0.1) running on Debian that is an internet gateway and that also provides routing functionality for multiple LANs (via iptables). I am interested in forwarding all of the outgoing internet traffic from my OpenVPN server through one client machine (tun0 - 10.0.0.10), while still using the OpenVPN server to route traffic that is destined for the LANs (i.e., 10.0.0.0/8). In other words, I want one client to be the outgoing internet gateway. The client connects to the server using a vLAN (10.99.0.0/16).
If possible, I would eventually like to have the 10.0.0.10 client route incoming connections from other VPN clients to the VPN server, while also acting as the default route for all outgoing internet traffic. My goal is to have the server running inside my LAN, without a public ip address, while still allowing incoming connections that are forwarded from the 10.0.0.10 client.
If I set the server's default route to the 10.0.0.10 client, then the server also pushes all the traffic that is destined for various LAN machines through the gateway, and I can no longer connect to the server through the server's internet connection.
I suspect this is a relatively simple routing/iptables problem, but I am too much of a noob to see my way through it
Server Operating System:
Code: Select all
# uname -a
Linux vpn 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) x86_64 GNU/Linux
Code: Select all
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 56:00:00:58:c4:2b brd ff:ff:ff:ff:ff:ff
inet 45.xx.xx.xx/23 brd 45.xx.xx.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 2001:xxxx:xxxx:xxxx::xxxx/64 scope global mngtmpaddr dynamic
valid_lft 2591688sec preferred_lft 604488sec
inet6 fe80::xxxx/64 scope link
valid_lft forever preferred_lft forever
3: ens7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 5a:00:00:58:c4:2b brd ff:ff:ff:ff:ff:ff
inet 10.99.0.10/16 brd 10.99.255.255 scope global ens7
valid_lft forever preferred_lft forever
inet6 fe80::xxxx/64 scope link
valid_lft forever preferred_lft forever
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.1.0.1/24 brd 10.1.0.255 scope global tun1
valid_lft forever preferred_lft forever
inet6 fdb9:xxxx:xxxx:xxxx:66::1/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xxxx/64 scope link flags 800
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.0.0.1/24 brd 10.0.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fdb9:xxxx:xxxx:xxxx:67::1/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xxxx/64 scope link flags 800
valid_lft forever preferred_lft forever
Code: Select all
# ip route
default via 45.76.28.1 dev ens3 onlink
10.1.0.0/24 dev tun1 proto kernel scope link src 10.1.0.1
10.0.0.0/24 dev tun0 proto kernel scope link src 10.0.0.1
10.99.0.0/16 dev ens7 proto kernel scope link src 10.99.0.10
45.xx.xx.0/23 dev ens3 proto kernel scope link src 45.xx.xx.xx
Code: Select all
#VPN to internet
46 iptables -I INPUT -i $PERSONAL_TUNNEL -j ACCEPT
45 iptables -I OUTPUT -o $PERSONAL_TUNNEL -j ACCEPT
44 iptables -I FORWARD -i $PERSONAL_TUNNEL -j ACCEPT
43 iptables -I FORWARD -i $PERSONAL_TUNNEL -o $INTERNET_INTERFACE -j ACCEPT
42 iptables -I FORWARD -i $INTERNET_INTERFACE -o $PERSONAL_TUNNEL -j ACCEPT
41
40 ip6tables -I INPUT -i $PERSONAL_TUNNEL -j ACCEPT
39 ip6tables -I OUTPUT -o $PERSONAL_TUNNEL -j ACCEPT
38 ip6tables -I FORWARD -i $PERSONAL_TUNNEL -j ACCEPT
37 ip6tables -I FORWARD -i $PERSONAL_TUNNEL -o $INTERNET_INTERFACE -j ACCEPT
36 ip6tables -I FORWARD -i $INTERNET_INTERFACE -o $PERSONAL_TUNNEL -j ACCEPT
35
34 iptables -t nat -A POSTROUTING -s $VPN_IP -o $INTERNET_INTERFACE -j MASQUERADE
33 ip6tables -t nat -A POSTROUTING -s $VPN_IP6 -o $INTERNET_INTERFACE -j MASQUERADE
32
31 #VPN2 to internet
30 iptables -I INPUT -i $PERSONAL_TUNNEL_UDP -j ACCEPT
29 iptables -I OUTPUT -o $PERSONAL_TUNNEL_UDP -j ACCEPT
28 iptables -I FORWARD -i $PERSONAL_TUNNEL_UDP -j ACCEPT
27 iptables -I FORWARD -i $PERSONAL_TUNNEL_UDP -o $INTERNET_INTERFACE -j ACCEPT
26 iptables -I FORWARD -i $INTERNET_INTERFACE -o $PERSONAL_TUNNEL_UDP -j ACCEPT
25
24 ip6tables -I INPUT -i $PERSONAL_TUNNEL_UDP -j ACCEPT
23 ip6tables -I OUTPUT -o $PERSONAL_TUNNEL_UDP -j ACCEPT
22 ip6tables -I FORWARD -i $PERSONAL_TUNNEL_UDP -j ACCEPT
21 ip6tables -I FORWARD -i $PERSONAL_TUNNEL_UDP -o $INTERNET_INTERFACE -j ACCEPT
20 ip6tables -I FORWARD -i $INTERNET_INTERFACE -o $PERSONAL_TUNNEL_UDP -j ACCEPT
19
18 iptables -t nat -A POSTROUTING -s $VPN2_IP -o $INTERNET_INTERFACE -j MASQUERADE
17 ip6tables -t nat -A POSTROUTING -s $VPN2_IP6 -o $INTERNET_INTERFACE -j MASQUERADE
16 #iptables -t nat -A POSTROUTING -s $VPN2_IP -d $PUBLIC_GATEWAY -j MASQUERADE
15 #ip6tables -t nat -A POSTROUTING -s $VPN2_IP6 -d $PUBLIC_GATEWAY6 -j MASQUERADE
14
13 #VPN to VPN2
12 iptables -I FORWARD -i $PERSONAL_TUNNEL -o $PERSONAL_TUNNEL_UDP -j ACCEPT
11 iptables -I FORWARD -i $PERSONAL_TUNNEL_UDP -o $PERSONAL_TUNNEL -j ACCEPT
10
9 ip6tables -I FORWARD -i $PERSONAL_TUNNEL -o $PERSONAL_TUNNEL_UDP -j ACCEPT
8 ip6tables -I FORWARD -i $PERSONAL_TUNNEL_UDP -o $PERSONAL_TUNNEL -j ACCEPT
7
6 iptables -t nat -A POSTROUTING -s $VPN2_IP -o $PERSONAL_TUNNEL -j MASQUERADE
5 ip6tables -t nat -A POSTROUTING -s $VPN2_IP6 -o $PERSONAL_TUNNEL -j MASQUERADE
4
3 iptables -t nat -A POSTROUTING -s $VPN_IP -o $PERSONAL_TUNNEL_UDP -j MASQUERADE
2 ip6tables -t nat -A POSTROUTING -s $VPN_IP6 -o $PERSONAL_TUNNEL_UDP -j MASQUERADE
Code: Select all
# uname -a
Linux public.xxxxxx.xxx 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Code: Select all
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 56:00:00:76:07:3d brd ff:ff:ff:ff:ff:ff
inet 104.xxx.xxx.xxx/23 brd 104.xxx.xxx.255 scope global dynamic eth0
valid_lft 52140sec preferred_lft 52140sec
inet6 2001:xxxx:xxxx:xxxx::xxxx/64 scope global noprefixroute dynamic
valid_lft 2591614sec preferred_lft 604414sec
inet6 fe80::xxxx/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP qlen 1000
link/ether 5a:00:00:76:07:3d brd ff:ff:ff:ff:ff:ff
inet 10.99.0.12/24 brd 10.99.0.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::xxxx/64 scope link
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.0.0.10/24 brd 10.0.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fdb9:xxxx:xxxx:xxxx:67::10/64 scope global
valid_lft forever preferred_lft forever
Code: Select all
# ip route
default via 104.xxx.xxx.1 dev eth0 proto static metric 100
10.0.0.0/24 dev tun0 proto kernel scope link src 10.0.0.10
10.99.0.0/24 dev eth1 proto kernel scope link src 10.99.0.12 metric 100
104.xxx.xxx.0/23 dev eth0 proto kernel scope link src 104.xxx.xxx.217 metric 100
169.xxx.xxx.254 via 104.xxx.xxx.1 dev eth0 proto dhcp metric 100
JSB