First off, I apologies if this issue has been discussed elsewhere. I have hunted and have not seen it. If you have, please could you point me in the right direction.
I am trying to setup a Raspberry Pi and use it as a VPN gateway. The OpenVPN client software has been installed and I successfully managed to get the VPN connected with traffic routing correctly. The issue I have arises when I attempt to allow other clients on my home LAN to route via the VPN tunnel.
IP forwarding has been enabled along with iptables being configured to MASQUERADE the LAN traffic using the tunnel interface. I have a laptop setup to use the PI as it's default gateway. If the laptop is off (no network activity) and I start the VPN on the PI, the VPN connects and the PI can access the internet using the VPN tunnel. No issues so far. I then start the laptop which then attempts to use the PI to access internet addresses. The laptop fails to connect and at the same time, the PI also loses the ability to access the internet via the VPN. The VPN is still connected but for some reason does not work. I am able to ping the far end of the VPN tunnel but no further. Once I turn the laptop off the PI is able to access the internet again.
The issue is not isolated to the laptop. It happens even if I configure other devices to use the PI as their Default Gateway.
At first I thought this may be an IP conflict. After checking and rebuilding my entire home network using a new subnet, I can say that this is not the case. The current IP setup I have is:
Router: 192.168.1.1
Raspberry PI: 192.168.1.140 (default GW: 192.168.1.1)
Laptop: 192.168.1.190 (Default GW: 192.168.1.140)
Has anyone got any ideas as to what might be going on or what other troubleshooting I can do to isolate the problem.
IP routing table
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.8.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
10.8.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.8.8.1 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
xsx891.stwserve 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
Code: Select all
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N TCP
-N UDP
-N fw-interfaces
-N fw-open
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m state --state NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -m limit --limit 10/min --limit-burst 7 -j LOG --log-prefix "[FW INPUT]: "
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A FORWARD -m limit --limit 10/min --limit-burst 7 -j LOG --log-prefix "[FW FORWARD]: "
-A TCP -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -s 192.168.1.0/24 -p tcp -m tcp --dport 3000 -j ACCEPT
-A UDP -p udp -m udp --dport 5353 -j ACCEPT
-A UDP -p udp -m udp --dport 123 -j ACCEPT
-A fw-interfaces -s 192.168.1.0/24 -i eth0 -o tun+ -j ACCEPT
Code: Select all
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:domain to:162.242.211.137
DNAT udp -- anywhere anywhere udp dpt:domain to:162.242.211.137
DNAT tcp -- anywhere anywhere tcp dpt:domain to:78.46.223.24
DNAT udp -- anywhere anywhere udp dpt:domain to:78.46.223.24
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 anywhere