Forwarding All Traffic from tun0 to tun1

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
paulchery21
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 19, 2022 12:48 pm

Forwarding All Traffic from tun0 to tun1

Post by paulchery21 » Sun Sep 25, 2022 10:43 pm

Hi. I got 2 servers with valid ip addresses. SRV1(middle) & SRV2
This is what i want to do:
(my client : tun0) -> (SRV1 : tun0 -> SRV1 : tun1) -> (SRV2 : tun1 -> SRV2 : eth0)

these are the configurations:

This is SRV1:

Code: Select all

port 32976
proto udp
dev tun0

ca      /etc/openvpn/easy-rsa/pki/ca.crt
cert    /etc/openvpn/easy-rsa/pki/issued/server0.crt
key     /etc/openvpn/easy-rsa/pki/private/server0.key
dh      /etc/openvpn/easy-rsa/pki/dh.pem

topology subnet

server 10.21.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

tls-auth /etc/openvpn/server/ta0.key 0
auth-nocache

crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

cipher AES-256-CBC

persist-key
persist-tun
and This is SRV2:

Code: Select all

port 50945
proto udp
dev tun1

ca      /etc/openvpn/easy-rsa/pki/ca.crt
cert    /etc/openvpn/easy-rsa/pki/issued/server0.crt
key     /etc/openvpn/easy-rsa/pki/private/server0.key
dh      /etc/openvpn/easy-rsa/pki/dh.pem

topology subnet

server 10.63.0.0 255.255.255.0
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

tls-auth /etc/openvpn/server/ta.key 0
auth-nocache

crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

cipher AES-256-CBC

persist-key
persist-tun
As you see I redirect my clients traffic to srv1 and then i want to be redirected to srv2 that is connected.
NOTE: srv1 is a client for srv2.
Also I didn't use `push "redirect-gateway def1 bypass-dhcp"` in SRV2.

First I run these commands:

SRV1:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING 10.21.0.0/24 -o tun1 -j MASQUERADE
SRV2:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING 10.63.0.0/24 -o eth0 -j MASQUERADE
But it didn't work and also i lose my connection to internet.

I guess that adding routing table is a MUST.
would you please help me?
Thanks :)

User avatar
ordex
OpenVPN Inc.
Posts: 425
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Forwarding All Traffic from tun0 to tun1

Post by ordex » Mon Sep 26, 2022 11:58 am

Hi, MASQUERADING is basically enabling NAT. In this case you don't really need to do NAT on SRV1. You can just do routing.
To do routing you must be sure that SRV2 knows how to route packets back to 10.21.0.0/24.
In order to do this, you must configure a route+iroute on SRV2 that instructs SRV2 to sends packet to SRV1 when they want to reach 10.21.0.0/24.
(This is also called "LAN behind a client", because SRV1 is a client and has a LAN - the VPN - behind it).

then on SRV1 you must be sure that packet *from* 10.21.0.0/24 are routed to SRV2.
To do that you can either set SRV2 as default gateway for all traffic from SRV1 or you can use policy routing (mix of "ip rule" and "ip route").
With policy routing you should (on SRV1):
* create another routing table;
* use "ip rule" to send all traffic coming from 10.21.0.0/24 to this new routing table;
* use "ip route" to configure a default routing GW in this new routing table.

This approach will not interfere with any other traffic generated by SRV1.

paulchery21
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 19, 2022 12:48 pm

Re: Forwarding All Traffic from tun0 to tun1

Post by paulchery21 » Mon Sep 26, 2022 8:09 pm

Thanks for your reply. So I'm literally dumb in routing.
Would you please tell me what commands should I use in SRV1 & SRV2?
What I understood from your message:
SRV2:

Code: Select all

ip route add 10.21.0.0/24 via 10.63.0.1
SRV1:

Code: Select all

ip route add 10.63.0.0/24 via 10.63.0.1
is that correct?

paulchery21
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 19, 2022 12:48 pm

Re: Forwarding All Traffic from tun0 to tun1

Post by paulchery21 » Mon Oct 10, 2022 12:21 pm

Anybody, no answers?

User avatar
ordex
OpenVPN Inc.
Posts: 425
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Forwarding All Traffic from tun0 to tun1

Post by ordex » Mon Oct 10, 2022 1:19 pm

Hi, following my own hints:
ordex wrote:
Mon Sep 26, 2022 11:58 am
To do routing you must be sure that SRV2 knows how to route packets back to 10.21.0.0/24.
In order to do this, you must configure a route+iroute on SRV2 that instructs SRV2 to sends packet to SRV1 when they want to reach 10.21.0.0/24.
(This is also called "LAN behind a client", because SRV1 is a client and has a LAN - the VPN - behind it).
The point above can be achieved with 1 line to be added to the openvpn conf file on SRV2:

Code: Select all

route 10.21.0.0/24
and 1 line in the CCD file reserved for SRV1 on SRV2 (check --client-config-directory in the manpage if you don't know about CCD):

Code: Select all

iroute 10.21.0.0/24
Those two lines will make sure that anything directed to 10.21.0.0/24 on SRV2 will be routed towards SRV1.

Then
then on SRV1 you must be sure that packet *from* 10.21.0.0/24 are routed to SRV2.
To do that you can either set SRV2 as default gateway for all traffic from SRV1 or you can use policy routing (mix of "ip rule" and "ip route").
here you have to decide what you want: do you want all traffic generated on SRV1 to go through SRV2? or only traffic coming from clients should be redirected to SRV2?

I presume you want the latter, so I will go that way:
With policy routing you should (on SRV1):
* create another routing table;

Code: Select all

echo 100 openvpn >>/etc/iproute2/rp_tables
* use "ip rule" to send all traffic coming from 10.21.0.0/24 to this new routing table;

Code: Select all

ip rule add from 10.21.0.0/24 table 111
* use "ip route" to configure a default routing GW in this new routing table.

Code: Select all

ip route add default via 10.63.0.1 table 111
I wrote the commands above out of the top of my head, so something may be wrong. But it's a starting point.
Please, try to understand what they are doing, so you can get full control over your setup ;)

Post Reply