How to redirect xbox from local network to tun+?

[jergen]

Dear all,

I trying to connect xbox one from my home networt to the internet using the vpn. The rest of my pcs should have "standard" access to the internet as now (by masquerade), so not through the vpn.
The openvpn client is installed on my router (debian router).

Xbox one (192.168.11.2) is connected to the internet by the wlan0 and I do not know how to redirect it to tun+.
Could you please help me? Thank you in advance.

The openvpn config:

Code: Select all

client
dev tun
remote us03.vpne.eu 443
proto tcp-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.conf
tls-client
pull
persist-key
resolv-retry infinite
reneg-sec 0
verb 3
script-security 2 system
auth-nocache
route-delay 2

Route:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.100.200.0    10.100.201.21   255.255.252.0   UG    0      0        0 tun0
10.100.201.21   *               255.255.255.255 UH    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.10.0    *               255.255.255.0   U     0      0        0 eth2
192.168.11.0    *               255.255.255.0   U     0      0        0 wlan0

Route after openvpn started:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.100.200.0    10.100.201.21   255.255.252.0   UG    0      0        0 tun0
10.100.201.21   *               255.255.255.255 UH    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.10.0    *               255.255.255.0   U     0      0        0 eth2
192.168.11.0    *               255.255.255.0   U     0      0        0 wlan0

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:11:0a:54:bb:02
          inet addr:192.168.1.14  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::211:aff:fe54:bb02/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2137 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2182 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:176536 (172.3 KiB)  TX bytes:321237 (313.7 KiB)

eth2      Link encap:Ethernet  HWaddr 00:11:0a:54:bb:03
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::211:aff:fe54:bb03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:468 (468.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

mon.wlan0 Link encap:UNSPEC  HWaddr 14-CC-20-1F-B5-4D-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23229 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2872405 (2.7 MiB)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.100.201.22  P-t-P:10.100.201.21  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 14:cc:20:1f:b5:4d
          inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
          inet6 addr: fe80::16cc:20ff:fe1f:b54d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:576 (576.0 B)

)

[maikcat]

if you have a network with f.e 10 hosts and you want the 2 of them to access
internet via a different gateway then you need to enable policy based routing on your router,
in your case your debian.

Michael.

[jergen]

My home local network is as below:

gateway: 192.168.1.254 (modem)
192.168.1.1 - eth0
192.168.10.1 - eth2 (lan)
192.168.11.1 - wlan0 (wifi)
193.168.11.3 - xbox

In openvpn client config file I added:

Code: Select all

route-nopull.
route 192.168.11.2 255.255.255.255

Routing after I started the openvpn:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.100.201.21   *               255.255.255.255 UH    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.10.0    *               255.255.255.0   U     0      0        0 eth2
192.168.11.0    *               255.255.255.0   U     0      0        0 wlan0
192.168.11.2    10.100.201.21   255.255.255.255 UGH   0      0        0 tun0

Could you please help me with this?
How to redirect the xbox to tun+?

[maikcat]

lets go again,

you have one debian which acts as a router,
it has 3 interfaces lan,wan,wlan
it also has an openvpn client which has 10.100.201.0 network,

if your xbox wants to access 10.100.201.0 network and it has your debian as default gateway
then you do not need anything else,its simply routing.

but if your vpn provides you internet access is a different story...

Michael.

[jergen]

In my last post I made the mistake:

The xbox IP is 192.168.11.2 not 192.168.11.3.

[maikcat]

it doesnt matter,
does it uses 192.168.11.1 as default gateway?
which ip do you want to access via xbox?

Michael.

[jergen]

lets go again,
you have one debian which acts as a router,
it has 3 interfaces lan,wan,wlan
it also has an openvpn client which has 10.100.201.0 network,

Yes, you right.

if your xbox wants to access 10.100.201.0 network and it has your debian as default gateway
then you do not need anything else,its simply routing.

The default gateway for my all pcs is 192.168.1.254.
But I want to xbox to use the gateway from openvpn.

but if your vpn provides you internet access is a different story...

The vpn is only to hide the real locaction of xbox.

[maikcat]

But I want to xbox to use the gateway from openvpn.

your openvpn setup does NOT redirects your internet access,

what resource you want your xbox to access? the 10.100.201.0 network?

i insist on this info because you will need totaly different approach...

Michael.

[jergen]

it doesnt matter,
does it uses 192.168.11.1 as default gateway?
which ip do you want to access via xbox?

Michael.

- default gateway: 192.168.1.254 (modem)
- 192.168.1.1 - eth0
- 192.168.10.1 - eth2 (lan)
- 192.168.11.1 - wlan0 (wifi)
- 193.168.11.2 - xbox
- openvpn network is 10.100.201.0

All pcs from LAN 192.168.10.2-192.168.10.xxx should use default gataway 192.168.1.254 (modem).

All pcs from WIFI 192.168.11.3-192.168.11.xxx should use default gataway 192.168.1.254 (modem).

Only the xbox 192.168.11.2 shlould you the openvpn network.


In openvpn client config file I added:

Code: Select all

route-nopull.
route 192.168.11.2 255.255.255.255

Routing after I started the openvpn:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.100.201.21   *               255.255.255.255 UH    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.10.0    *               255.255.255.0   U     0      0        0 eth2
192.168.11.0    *               255.255.255.0   U     0      0        0 wlan0
192.168.11.2    10.100.201.21   255.255.255.255 UGH   0      0        0 tun0

[maikcat]

All pcs from LAN 192.168.10.2-192.168.10.xxx should use default gataway 192.168.1.254 (modem).

All pcs from WIFI 192.168.11.3-192.168.11.xxx should use default gataway 192.168.1.254 (modem).

Only the xbox 192.168.11.2 shlould you the openvpn network.

what you dont clarify is the openvpn network is to provide you an alternative internet access,
if its not and you only need to access 10.100.201.0 then all you need is iptables rules to filter traffic and NAT
the xbox ip.

Michael.

[maikcat]

remove the 2 directives you added.

Michael.

[jergen]

All pcs from LAN 192.168.10.2-192.168.10.xxx should use default gataway 192.168.1.254 (modem).

All pcs from WIFI 192.168.11.3-192.168.11.xxx should use default gataway 192.168.1.254 (modem).

Only the xbox 192.168.11.2 shlould you the openvpn network.

what you dont clarify is the openvpn network is to provide you an alternative internet access,
if its not and you only need to access 10.100.201.0 then all you need is iptables rules to filter traffic and NAT
the xbox ip.

Michael.

Could you please help me with these iptables rules? I check few and any of them does not work.
Thank you in advance.

[maikcat]

post your CURRENT iptables status please,

iptables -L -v
iptables -L -t nat -v

Michael.

[jergen]

unfortunately now I have no access to my router but my firewall is only as below:

Code: Select all

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -X
iptables -t nat -X
iptables -t nat -F
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Later I will able to give you my current iptables status.
Thank you for help.

[maikcat]

you will need something like

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.11.2/32 -o tun+ -j MASQUERADE

again remove the 2 entries you added....

Michael.

[jergen]

I think I already checked almost similar rule:

Code: Select all

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.11.2 -o tun+ -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

[maikcat]

what did you tested and it didnt work?

ps: did you removed the directives you added in openvpn config?

Michael.

[jergen]

I tested this in the past without the rules in client openvpn config ad it did not work.
in the afternoon I'll do the same and I will inform you.

Really thank you for you help so far.

[maikcat]

if your openvpn provider redirects ALL traffic via the vpn it WONT work,

you will need to use policy based routing.

Michael.

[jergen]

if your openvpn provider redirects ALL traffic via the vpn it WONT work,

How to check it?
In the client opencpn config I received from openvpn provider there was: "redirect-gateway def1" and I delete it.

you will need to use policy based routing.

What does it mean?