Help with final touches to routing

[KuleRucket]

Hi there,

I am having a problem with the final touches on my network setup. I am completely new to openvpn and not very familiar with networking concepts, but I am pretty competent with Linux.

My home network setup is this:
192.168.1.1 - DSL router - rubbish one from DSL provider
192.168.1.2 - NAS / server
192.168.1.X - lots of other devices.

The NAS is a QNAP running Debian, and is only 12W so it is permanently on to supply services and data to the rest of my network. I currently run a dnsmasq server on the NAS to supply ip addresses to everything on the network. The openvpn client also runs there.

I then have a ps3 which can be used to access UK TV catchup services. I use iptables to forward the ps3 connection to the openvpn network, which is working.

My problem is that the NAS is currently using the openvpn route by default and I do not want it to do this. When I try to use the noexec/route-up options in openvpn, I cannot get the ps3 to connect.

My configuration is as follows...

openvpn:

Code: Select all

client
fast-io
dev tun
#dev tap
proto udp

nobind
remote shared69.vpnuk.net
route-method exe
route-delay 2
resolv-retry infinite

persist-key
persist-tun
 
auth-user-pass
ca vpnuk-ca.crt
tls-auth ta.key 1
 
comp-lzo
verb 3

Here are some bits of my dnsmasq config:

Code: Select all

domain-needed
bogus-priv
server=/localnet/192.168.1.1
expand-hosts
dhcp-range=192.168.1.101,192.168.1.199,168h
dhcp-option=option:router,192.168.1.1
dhcp-option= tag:ovpn, option:router,192.168.1.2
# ps3
dhcp-mac=set:ovpn,A8:E3:EE:8D:44:A3
dhcp-host=A8:E3:EE:8D:44:A3,192.168.1.24
dhcp-host=XXX - lots of other devices I won't bore you with.

As you can see, I supply the router as the gateway for 'normal' devices and the just connect to the internet through the router. For the PS3, I tell it to use the NAS as the gateway.

Once I connect the vpn tunnel, I run the following iptables commands to tunnel the PS3 connection through the vpn:

Code: Select all

#!/bin/sh

INTIF="eth0"
EXTIF="tun0"
EXTIP="`/sbin/ifconfig tun0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -s 192.168.1.24 -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

I must admit, I don't really understand all of the options in the iptables commands, I adapted another script and managed to add the -s option to limit the forwarding to the PS3 only.

So basically this much works fine. All machines are using the normal internet connection whilst the ps3 is using the vpn.

So now what I want to do is have the NAS set the tun0 device up without routing its own connection through it. When the openvpn client connects, it does the following:

Code: Select all

route add -net 109.108.151.147 netmask 255.255.255.255 gw 192.168.1.1
route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.10.11.41
route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.10.11.41
route add -net 10.10.11.0 netmask 255.255.255.0 gw 10.10.11.41

I can disable this and copy this to a script for tuning myself. I run openvpn like this:

Code: Select all

openvpn --script-security 2 system --route-noexec --route-up /root/vpnuk-openvpn/routes.sh --config udp.ovpn

When running route I get this:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
109.108.151.147 router          255.255.255.255 UGH   0      0        0 eth0
10.10.11.41     *               255.255.255.255 UH    0      0        0 tun0
localnet        *               255.255.255.0   U     0      0        0 eth0
10.10.11.0      10.10.11.41     255.255.255.0   UG    0      0        0 tun0
default         10.10.11.41     128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.10.11.41     128.0.0.0       UG    0      0        0 tun0
default         router          0.0.0.0         UG    0      0        0 eth0

I thought that if I then remove the 128.0.0.0 lines from the routes.sh script it would work, but this then prevents the PS3 connecting so I'm a bit stuck now.

[janjust]

lots of information, but no server config file...
you can prevent a client from pulling in the routing info using

Code: Select all

route-nopull

if you want to overrule the routes supplied by the vpn server then don't add the routes

• 0.0.0.0
  128.0.0.0

[KuleRucket]

I don't have the server config since I pay for a vpn service from a third party.

I'll give this option a go.

[KuleRucket]

As far as I can work out, the --route-nopull does the same thing as --route-noexec in terms of routing. I still get the same issue.

if I use route-nopull and then try to manually set up the routes I want:

Code: Select all

route add -net 192.168.1.24 netmask 255.255.255.255 gw 10.10.11.41
route add -net 109.108.151.147 netmask 255.255.255.255 gw 192.168.1.1
route add -net 10.10.11.0 netmask 255.255.255.0 gw 10.10.11.41

I gives what I think is a correct routing table:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
109.108.151.147 router          255.255.255.255 UGH   0      0        0 eth0
10.10.11.41     *               255.255.255.255 UH    0      0        0 tun0
ps3             10.10.11.41     255.255.255.255 UGH   0      0        0 tun0
localnet        *               255.255.255.0   U     0      0        0 eth0
10.10.11.0      10.10.11.41     255.255.255.0   UG    0      0        0 tun0
default         router          0.0.0.0         UG    0      0        0 eth0

ps3 however won't even get an IP address.

[janjust]

what kind of routing do you want?

route add -net 192.168.1.24 netmask 255.255.255.255 gw 10.10.11.41
route add -net 109.108.151.147 netmask 255.255.255.255 gw 192.168.1.1
route add -net 10.10.11.0 netmask 255.255.255.0 gw 10.10.11.41

the first route sets up a route which says: (LAN) host 192.168.1.24 is to be found via 10.10.11.41 (i.e. the VPN)
the second route says: host 109.108.151.147 (your VPN provider) is to be found via 192.168.1.1 (i.e via the DSL router)
the third route says that subnet 10.10.11.0/24 is to be found via 10.11.11.41

now where does the PS3 come into this? who should assign an IP address to the PS3? the DSL router ?

[KuleRucket]

Hmmm OK. From your answer I think I understand routing a bit better now. Now it makes sense why the DHCP request failed, the response was probably sent down the tunnel.

I've removed that route. The other two are correct.

So, now the PS3 can get an IP address but it can't access the internet. If the PS3 is requesting and internet address using the nas as a gateway, I suppose the nas routing table is applied and it will be sent to eth0 instead of tun0.

Maybe it's not possible to do what I'm trying to do?

[janjust]

should the PS3 be routed via the VPN? or via the DSL router?

it is possible to have the DSL router assign an IP to the PS3 box and then route all its traffic via the NAS box out on the internet, but this requires some extra routing configs on the DSL router itself.

[KuleRucket]

The PS3 should go through the VPN, everything else through the normal internet connection. The DSL router has virtually no configuration options at all which is why I use the NAS to run my dhcp server. I'm forced to use this router because it uses an IAD component which as far as I can tell is some non-standard VOIP. I've tried other routers but it isn't possible to get the telephone to work through them.

I have a old DSL router that I have managed to put openwrt on, so I am going to try to get openvpn onto that to use that as the VPN gateway. It would be nice not to have yet another piece of kit around the house but it looks like it's the only way it's going to work.

[janjust]

then have the NAS box assign a (local) IP address to the PS3 box, and set up routing rules to redirect all traffic coming from the PS3 IP address via the VPN, e.g. you could assign 192.168.1.24 to the PS3 box, set the default router for the PS3 box to be the NAS box (and NOT the DSL router) and then route all incoming traffic on the NAS box via the VPN.

[KuleRucket]

I already have everything set up exactly as you said but I'm having trouble with the routing part.

[janjust]

post the IP config info of the PS3 (IP, default GW, netmask) and post the routing info on the NAS box - is routing enabled on the NAS box itself (cat /proc/sys/net/ipv4/ip_forward) ? if not, add/change a line in /etc/sysctl

Code: Select all

net.ipv4.ip_forward = 1

and do a 'sysctl -w'

try running 'tcpdump' on the NAS box and watch for packets coming from the PS3 when it tries to reach the internet.

[dropje]

In addition to the solution janjust provided.

If you are going to forward all traffic this way the source address will be the (internal) ip address of the PS3. How would the VPN server know where to find your PS3 (ip address 192.168.1.23). You have to use SNAT or MASQUERADE to make sure traffic is to be forwarded back to the NAS and then to the PS3.

[KuleRucket]

@janjust
PS3:
ip: 192.168.1.23
sn: 255.255.255.0
gw: 192.168.1.2 (NAS)

Code: Select all

forwarding is enabled:
root@nas:/etc# cat /proc/sys/net/ipv4/ip_forward
1

IP forwarding is enabled in (/etc/sysctl).

@dropje - Ifyou review my original post you can see that masquerading is done. In fact this works perfectly well as long as the routing tables on the NAS are set up to find the internet via the VPN. The issue is that I want the PS3 to find the internet by going through the VPN, but the NAS itself not to. As far as I can gather it doesn't seem to be possible to separate the two in terms of how the routing is done. It seems to be all or nothing.

Situation 1:
openvpn is left to set up the routing tables such that the internet is found via the VPN. The forwarding set up for the PS3 works fine. The NAS (obviously) uses its own routing table to find the internet via the VPN - which is not what I want.

Situation 2:
openvpn blocked from updating the route information. The PS3, which still thinks the NAS is a gateway doesn't find the internet. The NAS finds the internet via the normal router just as though openvpn wasn't running (as expected).

What I need is for the PS3 to be able to use the NAS as a gateway to the VPN without the NAS itself actually using this route. VPN.

EDIT: The good news however, is that I now have openvpn + openwrt running on an old router and the NAS provides it as the gateway for my PS3 and TV.

[janjust]

what you want is possible, but it requires some advanced routing on the NAS box; there's a thread currently going about somebody who wants to do more or less the same:
topic8682.html

you could use a separate routing table for the PS3 box , so that it's traffic is all redirected via the VPN, whilst the NAS box traffic itself is not.