Trying to build a VPN gateway, struggling with routing

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
pi-chucker
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 18, 2021 9:09 pm

Trying to build a VPN gateway, struggling with routing

Post by pi-chucker » Thu Mar 18, 2021 9:26 pm

Good Evening,

I'm trying to build a router running Ubuntu 20.04 that will connect an ethernet network to a hosted VPN service.

My interfaces:
  • eth0: Internet facing
  • eth1: Internal network
  • tun0: VPN connection that runs over eth0
I want to use NAT between eth1 & tap0 but i don't think that is relevant to my question.

The only traffic that i want to use the VPN is traffic coming from the eth1 interface. I've found how to use policy routing in Ubuntu to select traffic based on source interface. Where I'm getting hung up is figuring out where to send it next. I'm using 'pull-filter ignore redirect-gateway' so prevent the VPN service from redirecting all traffic. What i think i need to do is somehow grab the IP address that was sent as the 'route-gateway' and apply that as the default gateway to the table i began with with 'ip rule add iif eth1 table vpn0'. Is there a clean way to do this? I do not believe i can trust that the gateway will stay the same on the hosted VPN side of things.

Thanks in advance,

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: Trying to build a VPN gateway, struggling with routing

Post by TinCanTech » Thu Mar 18, 2021 9:57 pm

Your question does not make sense.

Answer this instead:
  • What traffic do you have which you do not want to use the VPN ?

pi-chucker
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 18, 2021 9:09 pm

Re: Trying to build a VPN gateway, struggling with routing

Post by pi-chucker » Fri Mar 19, 2021 1:29 am

Good question.

Right now the only thing would be that i'd like to be able to SSH into the firewall without needing to go through the VPN pipe. DNS is setup to point at it on its ISP IP.

Future state would include a separate Ethernet network that is a DMZ for servers. Basically, i'd like to have two networks, one that connects to the internet directly through the ISP and one that connects through the VPN.

Am i underestimating how novel this configuration would be?

Post Reply