Connect internet through tun0 and eth0 at the same time
Posted: Sun Oct 28, 2018 9:27 am
I'm trying to connect internet selectively through tun0 and eth0 without the configuration option "redirect-gateway def1"
My final goal is routing all the internet traffic from openVPN client's subnet (br0: 10.0.10.0/24) through tun0
and routing openVPN client just using eth0 for the internet.
The "redirect-gateway def1" option allow client's subnet to pass all the traffic through tun0, but it prevents openVPN's client from using eth0.
If I'm not using the "redirect-gate def1" option, then the client's subnet can access to the openVPN's network (192.168.255.0/24) but cannot access to the internet.
So I narrowed down the objective of my issue to make "ping -I tun0 8.8.8.8" successful on the openVPN's client without using "redirect-gateway def1" option.
"tcpdump -i tun0" while "ping -I tun0 8.8.8.8" show that it actually receives the ICMP echo reply, but cannot ping. I cannot figure it why.
$ ping -I tun0 8.8.8.8
$ tcpdump -i tun0
I tried all the possible iptables and routing table on the server and client several days but did not solved it.
Below are my current openVPN configurations, client's iptables and routing table.
server.conf (simplifed ver)
client.conf (simplifed ver)
server's iptables (rules related with VPN)
client's iptables (rules related with VPN and subnet)
server's route (inside Docker container (kylemanna/openvpn))
client's route
I found adding routes below can turn it into the same state with using "redirect-gateway def1"
Server's ifconfig (inside Docker container (kylemanna/openvpn))
Client's ifconfig
My final goal is routing all the internet traffic from openVPN client's subnet (br0: 10.0.10.0/24) through tun0
and routing openVPN client just using eth0 for the internet.
The "redirect-gateway def1" option allow client's subnet to pass all the traffic through tun0, but it prevents openVPN's client from using eth0.
If I'm not using the "redirect-gate def1" option, then the client's subnet can access to the openVPN's network (192.168.255.0/24) but cannot access to the internet.
So I narrowed down the objective of my issue to make "ping -I tun0 8.8.8.8" successful on the openVPN's client without using "redirect-gateway def1" option.
"tcpdump -i tun0" while "ping -I tun0 8.8.8.8" show that it actually receives the ICMP echo reply, but cannot ping. I cannot figure it why.
$ ping -I tun0 8.8.8.8
Code: Select all
PING 8.8.8.8 (8.8.8.8) from 192.168.255.14 tun0: 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9217ms
Code: Select all
16:42:04.262576 IP linux > google-public-dns-a.google.com: ICMP echo request, id 13612, seq 112, length 64
16:42:04.302313 IP google-public-dns-a.google.com > linux: ICMP echo reply, id 13612, seq 112, length 64Below are my current openVPN configurations, client's iptables and routing table.
server.conf (simplifed ver)
Code: Select all
server 192.168.255.0 255.255.255.0
dev tun0
compress lz4-v2
push "compress lz4-v2"
route 192.168.255.0 255.255.255.0
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"Code: Select all
client
nobind
dev tun
remote <VPN IP> 443 tcp
pull
compress lz4-v2Code: Select all
iptables -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
Code: Select all
iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o tun0 -j MASQUERADE
iptables -A FORWARD -i br0 -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 * 255.255.0.0 U 0 0 0 eth0
192.168.255.0 192.168.255.2 255.255.255.0 UG 0 0 0 tun0
192.168.255.2 * 255.255.255.255 UH 0 0 0 tun0
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
121.213.123.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 br0
192.168.255.1 192.168.255.13 255.255.255.255 UGH 0 0 0 tun0
192.168.255.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Code: Select all
route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.255.13 dev tun0
route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.255.13 dev tun0Code: Select all
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4176455 errors:0 dropped:0 overruns:0 frame:0
TX packets:4080837 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.255.1 P-t-P:192.168.255.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1323713 errors:0 dropped:0 overruns:0 frame:0
TX packets:2435718 errors:0 dropped:771 overruns:0 carrier:0
collisions:0 txqueuelen:100
Code: Select all
br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 10.0.10.1 netmask 255.255.255.0 broadcast 10.0.10.255
ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 7956 bytes 1329777 (1.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4793 bytes 580907 (580.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 121.213.123.144 netmask 255.255.255.0 broadcast 121.213.123.255
ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 344261 bytes 21022402 (21.0 MB)
RX errors 0 dropped 1757 overruns 0 frame 0
TX packets 8835 bytes 737011 (737.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xc1100000-c111ffff
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.255.14 netmask 255.255.255.255 destination 192.168.255.13
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 870 bytes 73032 (73.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 880 bytes 73512 (73.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0