Debian – Route internet traffic from openvpn tun0 to eth0

debianiptablesnetworkingopenvpnvpn

I can't figure it out.
How do I give chosen VPN-users access to internet trough eth0? All server traffic goes trough eth1.
The eth0 is only supposed to give VPN-users internet access on chosen ports and nothing else.
The users connect trough eth1 and get assigned an IP in tun0 with individual configs, this is one of the users ccd:

ifconfig-push 192.168.200.5 192.168.200.6
push "redirect-gateway def1"

the user config

client

dev tun

proto udp

remote 192.168.0.55 1194

resolv-retry infinite

persist-key persist-tun

ca ca.crt cert client.crt key client.key

ns-cert-type server

tls-auth ta.key 1

comp-lzo

verb 3

Server config:

local 192.168.0.55

port 1194

proto udp

dev tun

ca ca.crt cert
server.crt key
server.key

dh1024.pem

server 192.168.200.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-to-client

keepalive 10 120

tls-auth ta.key 0

comp-lzo

max-clients 10

persist-key persist-tun

My current IP table rules:

#Flush all
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

#Allow all

iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#Allow loopback

iptables -A INPUT -i lo -j ACCEPT

#Block all incoming on eth0 and allow established connections
iptables -A INPUT -i eth0 -j DROP

iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

Forwardning turned on:

sysctl net.ipv4.ip_forward=1

After hours on google (https://community.openvpn.net/openvpn/wiki/BridgingAndRouting) I thought this was the correct way but it doesn't work:

# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o eth0 \
-s 192.168.200.0/24 -m conntrack –ctstate NEW -j ACCEPT

# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
     -j ACCEPT

# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o eth0 \
      -s 192.168.200.0/24 -j MASQUERADE

Help is appreciated 🙂

Network map http://s27.postimg.org/7do7o8ob7/network_map.gif

Best Answer

You also need to set up a policy routing table that tells Linux to use the default gateway behind eth0 for VPN users.

So, you would create a new routing table for packets where source IP address is in 192.168.200.0/24, and make the default gateway for that routing table the default gateway behind eth0.

Background

In my /var/log/daemon.log I found the following entry after enabling openvpn:

Jan 13 22:40:19 raspberrypi ifplugd(tun0)[28971]: Executing '/etc/ifplugd/ifplugd.action tun0 up'.

which was followd by

Jan 13 22:40:19 raspberrypi wpa_supplicant[3177]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=0
...
Jan 13 22:40:20 raspberrypi ifplugd(wlan0)[3108]: Link beat lost.
...
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: Executing '/etc/ifplugd/ifplugd.action wlan0 down'.
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: client: /sbin/ifdown: interface wlan0 not configured
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: Program executed successfully.

So it had to be somewhat related to the creation of the new network device.
Analyzing /etc/ifplugd/ifplugd.action tun0 up returned, that /etc/ifplugd/action.d/action_wpa is executed.

/etc/ifplugd/action.d/action_wpa

#!/bin/sh

# Action script to enable/disable wpa-roam interfaces in reaction to
# ifplugd events.
#
# Copyright: Copyright (c) 2008-2010, Kel Modderman <kel@otaku42.de>
# License:   GPL-2
#

PATH=/sbin:/usr/sbin:/bin:/usr/bin

if [ ! -x /sbin/wpa_action ]; then
    exit 0
fi

# ifplugd(8) - <iface> <action>
#
# If an ifplugd managed interface is brought up, disconnect any
# wpa-roam managed interfaces so that only one "roaming" interface
# remains active on the system.

IFPLUGD_IFACE="${1}"

case "${2}" in
    up)
        COMMAND=disconnect
        ;;
    down)
        COMMAND=reconnect
        ;;
    *)
        echo "$0: unknown arguments: ${@}" >&2
        exit 1
        ;;
esac

for CTRL in /var/run/wpa_supplicant/*; do
    [ -S "${CTRL}" ] || continue

    IFACE="${CTRL#/var/run/wpa_supplicant/}"

    # skip if ifplugd is managing this interface
    if [ "${IFPLUGD_IFACE}" = "${IFACE}" ]; then
        continue
    fi

    if wpa_action "${IFACE}" check; then
        wpa_cli -i "${IFACE}" "${COMMAND}"
    fi
done

So in order to save maybe roaming-costs all roaming devices are deactivated, if an other network device is available. May it be a real device or just virtual.

I only had access to the pi over ssh over wifi. Killed remotely and had to wait to come back home for hard reboot ;-)

Possible other way

An other way could be, to configure the tun0 device in /etc/network/interfaces so that it doesn't call /etc/ifplugd/action.d/action_wpa. That way roaming would still work.

Networking – How to forward traffic between Tun device and eth0

Your main mistake is: assumption that such kind of traffic will be forwarded. This is not that case. This is outgoing, not forwarded traffic for VM perspective. ICMP replies come to eth0 and go up to protocol stack, thus, you can not see them on tun0 device. For futher details you can look here: https://serverfault.com/questions/554477/tap0-not-receiving-traffic/554698

Help is appreciated 🙂

Best Answer

Related Solutions

Debian eth0 to wlan0 forwarding, with openvpn

Background

Possible other way

Networking – How to forward traffic between Tun device and eth0

Related Question