OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

routing all traffic from ppp0 to vpn masquerading to LAN

https://forums.openvpn.net/viewtopic.php?t=10025

Page 1 of 1

routing all traffic from ppp0 to vpn masquerading to LAN

Posted: Thu Mar 08, 2012 7:59 pm
by matters
Heres scenario: I got linux server which connects to the internet via pppoe-start, meaning that router is in bridge mode. All other machines inside the lan get the internet connections through the linux server.

Here are interfaces on the linux server

ppp0 -internet
eth0
tun0 - vpn

right now ppp0 interface is masquerading so all machines on the lan have access to the internet

to do that i have only this rule to accomplish that task.

Code: Select all


# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIF=ppp0
Now what i would like to accomplish is this:
Since im connecting to VPN provider directly through config file only of specific vpn that im connecting to, i havent edited any openvpn conf file on my end.I would like that all ppp0 traffic (internet traffic) is routed through vpn in this case tun0, then all tun0 traffic masquerade through the lan so that all machines inside the lan get the ip address from the vpn while connected on the internet. How can i do that?

Thanks!

Re: routing all traffic from ppp0 to vpn masquerading to LA

Posted: Fri Mar 09, 2012 10:37 am
by janjust
  • make sure the VPN client has a connection out to the internet via ppp0
  • change the masquerading rule to

    Code: Select all

    iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIF=tun0

Re: routing all traffic from ppp0 to vpn masquerading to LA

Posted: Fri Mar 09, 2012 8:30 pm
by matters
thank you for your response,

when i change postrouting to tun0 like you suggested then when i ping google from lan machines i get

Code: Select all

Pinging www-cctld.l.google.com [173.194.35.183] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Normally on lan machines ive assigned gateway ip because when i get EXTIF = ppp0 again i can ping from machines inside the LAN

something else is interesting:

when i try to connect to vpn provider, by specifying config file when i enter my credentials i get this:

Code: Select all

 03:55:24 2012 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Wed Mar  9 03:55:24 2012 Initialization Sequence Completed
heres my routing table

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
172.29.252.59   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
as you can see my Linux box act as a router for other machines, instead of the router,(thats why i have the router in bridge mode) and i want to keep it that way if possible :)

heres my iptables how i modified it and please suggest if i need to modify something.

Code: Select all

#!/bin/bash
#
# firewall-masq         This script sets up firewall rules for a machine
#                       acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc.  This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.
# LIC: GPL

# Interface to Internet
EXTIF=tun0

# NAT-Tables are different, so we can use ACCEPT everywhere (?)
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# Flush the NAT-Table
iptables -t nat -F

iptables -t filter -P INPUT ACCEPT
iptables -t filter -F

# Allow NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

# Allow incoming SSH
#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 5050 -j ACCEPT

#Allow HTTP/HTTPS
#iptables -t filter -A INPUT -i $EXTIF -m state --state NEW -p tcp --dport 80 -j ACCEPT

#Allow PING
# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Log & Deny the rest of the privileged ports
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:52  -j DROP
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 54:1023 -j DROP
iptables -t filter -A INPUT -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 127.0.0.1 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 127.0.0.1 --dport 53 -j ACCEPT
# Log & Deny NFS
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP

# Log & Deny X11
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP

# Log & Deny XFS
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP

# Deny TCP connection attempts
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# no IP spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
   for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $i
   done
fi

# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $i
done
thanks alot! I really appreciate all your efforts!

Re: routing all traffic from ppp0 to vpn masquerading to LA

Posted: Sun Mar 11, 2012 2:16 pm
by matters
Hello, i just want to clarify that tun0 is connected through the internet to openvpn server via vpnclient such as

Code: Select all

openvpn --config server.ovpn


What im lacking is routing knowledge, because if i do for instance:
route del default dev ppp0; route add default dev tun0
i loose internet connection of course and connection to vpn server.

i also tried to add:

Code: Select all

route add -host 10.10.0.40(which is tun0 ip assigned from vpn server) gw 10.10.0.1 dev ppp0
then i added tun0 to be default route again same problem.

to recap i would like that when i check ip address from every machine inside the lan (which includes linux server of course) that ip address from vpn to be displayed instead of public ip assigned to ppp0, and that all internet traffic goes to vpn so that connection will be encrypted.

I know that you already understood me from the first post but i just wanted to update you so you can see what ive done wrong.

please enlighten me :)

Thanks

Re: routing all traffic from ppp0 to vpn masquerading to LA

Posted: Thu Mar 15, 2012 8:39 am
by matters
Problem solved by:

Code: Select all

 route add -net  IP (of the vpn gateway) netmask 255.255.255.255 dev ppp0; route del default dev ppp0; route add default tun0
then in iptables:

Code: Select all

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIF=tun0
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/