ipset & fwmark ip route rule packet with souce client addresss found on the server tun device.
Posted: Wed Apr 14, 2021 10:04 am
Hi everyone,
I want to divert route for a great bundle of URL to the openvpn tun device .
Before I do it this way:
#ping dns.google and get the 8.8.8.8 address,
then
#route add -net 8.0.0.0/8 tun0
and it works fine.
Since I have so many URLS to handle it, I followed this https://stackoverflow.com/questions/509 ... -one-route to do it automatically using ipset & extra route.
I did this on my client:
#ipset create TEST hash:net
#ipset add TEST 104.26.3.41
#ipset test TEST 104.26.3.41
#104.26.3.41 is in set TEST.
#iptables -I OUTPUT -t mangle -m set --match-set TEST dst -j MARK --set-mark 1
#ip rule add prio 100 fwmark 1 lookup 100
#ip route add table 100 default dev tun0
The problem is :
with 8.8.8.8 , everything works normal.
But with 104.26.3.41, and the ipset & ip route rule fwmark way, the client vpn is not correctly handling packets, please see the following tcpdump log:
for normal route, openvpn client peer address is source address:
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:55:53.615189 IP 172.16.7.2 > 8.8.8.8: ICMP echo request, id 104, seq 202, length 64
17:55:53.821320 IP 8.8.8.8 > 172.16.7.2: ICMP echo reply, id 104, seq 202, length 64
for the ipset & ip route rule fwmark way, the client machine local address is used:
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:56:12.121148 IP 192.168.3.226 > 104.26.3.41: ICMP echo request, id 105, seq 6, length 64
17:56:13.145148 IP 192.168.3.226 > 104.26.3.41: ICMP echo request, id 105, seq 7, length 64
So can anyone give me some guide where am I wrong?
Thanks a lot.
Jim
I want to divert route for a great bundle of URL to the openvpn tun device .
Before I do it this way:
#ping dns.google and get the 8.8.8.8 address,
then
#route add -net 8.0.0.0/8 tun0
and it works fine.
Since I have so many URLS to handle it, I followed this https://stackoverflow.com/questions/509 ... -one-route to do it automatically using ipset & extra route.
I did this on my client:
#ipset create TEST hash:net
#ipset add TEST 104.26.3.41
#ipset test TEST 104.26.3.41
#104.26.3.41 is in set TEST.
#iptables -I OUTPUT -t mangle -m set --match-set TEST dst -j MARK --set-mark 1
#ip rule add prio 100 fwmark 1 lookup 100
#ip route add table 100 default dev tun0
The problem is :
with 8.8.8.8 , everything works normal.
But with 104.26.3.41, and the ipset & ip route rule fwmark way, the client vpn is not correctly handling packets, please see the following tcpdump log:
for normal route, openvpn client peer address is source address:
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:55:53.615189 IP 172.16.7.2 > 8.8.8.8: ICMP echo request, id 104, seq 202, length 64
17:55:53.821320 IP 8.8.8.8 > 172.16.7.2: ICMP echo reply, id 104, seq 202, length 64
for the ipset & ip route rule fwmark way, the client machine local address is used:
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:56:12.121148 IP 192.168.3.226 > 104.26.3.41: ICMP echo request, id 105, seq 6, length 64
17:56:13.145148 IP 192.168.3.226 > 104.26.3.41: ICMP echo request, id 105, seq 7, length 64
So can anyone give me some guide where am I wrong?
Thanks a lot.
Jim