Connect to a VPN server through a Raspberry (connected VPN client)

Networksshvpnwifi

I'm trying to connect from my MacBook to the VPN server, which is accessible from the Raspberry as it's a connected VPN client.

MacBook (172.25.0.139) ---> Raspberry (172.25.0.14) ---> [INTERNET] ---> VPN Server (172.26.0.x)

Raspberry is already connected to that VPN server, so I can reach it and connect to it via ssh FROM the raspberry.

As I'm connected to the same LAN than the raspberry, I'd guessed that it should be as simple as adding a route on my Mac to tell my MacBook that it should reach the
VPN Server through the raspberry.

✅ Raspberry connected to VPN server (172.26.0.99).

✅ Raspberry is able to connect to the VPN server via ssh using the VPN LAN address (172.26.0.99)

✅ MacBook (172.25.0.139) can connect to Raspberry (172.25.0.14).

❌ MacBook (172.25.0.139) CANNOT connect to VPN server (172.26.0.99) THROUGH Raspberry (172.25.0.14).

MacBook

I set the route using networksetup

networksetup -setadditionalroutes "Wi-Fi" 172.26.0.99 255.255.255.255 172.25.0.14

I think I did it properly as I can see the tcpdump:

tcpdump -n |grep 172.26.0.99
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:02:51.053672 IP 172.25.0.139.53549 > 172.26.0.99.22: Flags [S], seq 2856180432, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 718632786 ecr 0,sackOK,eol], length 0
11:02:52.058006 IP 172.25.0.139.53549 > 172.26.0.99.22: Flags [S], seq 2856180432, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 718633786 ecr 0,sackOK,eol], length 0
11:02:53.059068 IP 172.25.0.139.53549 > 172.26.0.99.22: Flags [S], seq 2856180432, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 718634786 ecr 0,sackOK,eol], length 0
^C63 packets captured
84 packets received by filter
0 packets dropped by kernel

Raspberry

 ✘ raspberrypi ✝ ~  netstat -nr -f inet
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.25.0.1      0.0.0.0         UG        0 0          0 eth0
169.254.1.0     169.254.1.13    255.255.255.0   UG        0 0          0 tun0
169.254.1.13    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
172.25.0.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
172.26.0.0      169.254.1.13    255.255.255.0   UG        0 0          0 tun0

 ✘ raspberrypi ✝ ~  ssh 172.26.0.99
Linux OpenVPN Host server 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
Last login: Tue Jul 16 11:50:01 2019 from 169.254.1.14
 user ✝ ~ ✅

Best Answer

As @andrew-morozko suggested, Raspberry does not not redirect incoming packets to the vpn connection without configuration:

  sudo iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
  sudo iptables -I FORWARD 1 -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  sudo iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
Related Question