Forward eth0 to tun0 but stop forwarding when VPN is down

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Sat Oct 01, 2016 6:15 pm

Forward eth0 to tun0 but stop forwarding when VPN is down

Post by lawk » Sat Oct 01, 2016 6:32 pm

Hi All,

I have setup OpenVPN on a Raspberry PI as a client because I want to route a couple of machines in my network trough it. (the rest of my machines will go trough a different and default gateway on my network).

So my setup is fairly simple like so: laptop -> raspbery pi (with ovpn connection) -> VPN endpoint.

What I wish to accomplish is that when my VPN drops, the raspberry stops forwarding traffic.

I have succesfully setup the client and forwarding (and I can see the laptop gets the VPN IP) but when I kill the VPN (tun0), the raspberry forwards everything to my other (default) gateway and thus the laptop gets the normal address. So basically, I only want the raspberry to forward connections to the internet and over tun0 as long as the vpn connection is up.

These are the steps I took (and in fact forwarding is working fine... the problem is just that it doesnt stop when the VPN goes down :))

In my ovpn client config I have set "redirect-gateway def1"
I have enabled ip_forwarding

And I have added a couple of simple firewall rules like so:

iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
iptables -I FORWARD 1 -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT

Fowarding works like a chaorms but any idea's how I can stop forwarding when the VPN drops??
Also, can I make the firewall a bit more secure because anyone from the VPN network can access my LAN now (I think?)

My ip config when the VPN is up looks like this:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:10:f7:f3 brd ff:ff:ff:ff:ff:ff
inet brd scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe10:f7f3/64 scope link
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
inet peer scope global tun0
valid_lft forever preferred_lft forever

We can assume the pub IP of the VPN is

My routing table with VPN enabled look like this:

root@raspberrypi:/home/pi# ip r via dev tun0
default via dev eth0 dev tun0 proto kernel scope link src via dev tun0 via dev eth0 dev eth0 proto kernel scope link src

Maybe it works by changing the defaul route which is my isp router and when the tun0 goes down it just forwards it there? Problem is, the tun0 local ip always changes so I cannot add some kind of static route...? Can I do something with a if_down script or something? Like disable ip_forwarding?

Hope someone can help, much appreciated!


User avatar
OpenVPN Protagonist
Posts: 2971
Joined: Fri Jun 03, 2016 1:17 pm

Re: Forward eth0 to tun0 but stop forwarding when VPN is down

Post by TinCanTech » Sat Oct 01, 2016 9:57 pm

Try using a --down script to delete iptables rules when the VPN is down.

OpenVpn Newbie
Posts: 2
Joined: Sun Jan 08, 2017 11:04 pm

Re: Forward eth0 to tun0 but stop forwarding when VPN is down

Post by gurre » Wed Jan 11, 2017 9:48 pm

Have you checked the default policy in the FORWARD table?
My table had the default to ACCEPT.
If that is the case you can either change policy or append a final filter
sudo iptables -A FORWARD -j DROP

In my table I also have before the above two rejects.
sudo iptables -A FORWARD -i eth1 -o eth2 -j REJECT
sudo iptables -A FORWARD -i eth2 -o eth1 -j REJECT

In total my FORWARD table looks like this..

xxxxxxx@router:~$ sudo iptables -S FORWARD -v
-A FORWARD -i eth1 -o tun0 -c 337 35233 -j ACCEPT
-A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -c 360 118998 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -c 0 0 -j REJECT --reject-with icmp-net-prohibited
-A FORWARD -i eth1 -o eth2 -c 0 0 -j REJECT --reject-with icmp-net-prohibited
-A FORWARD -c 0 0 -j LOG --log-prefix "IPTABLES FORWARD " --log-level 7
-A FORWARD -c 0 0 -j DROP

You can see at the moment that I have both the policy to drop and the final -j DROP

Useful here is also the logging and to study the counters ;)

OT I have seen a lot of questions on how to easy find the outside ip number by command line.
I use, ping -c 1 -t 2 fromt the router.
From a windows connected to router, ping -n 1 -i 3

Post Reply