Route Internet from eth0 to OpenVPN to eth1 – How to Configure

linuxnetworkingopenvpnrouting

I need to route all traffic coming and going from/to eth0 through openVPN before I send/receive it to/from eth1, this is a virtual machine Debian, you can call it a virtual router.

The idea is to put a dhcp on eth1, clients will connect to eth1.
I want all clients to automatically be connected to the VPN.

Currently, I can route eth0 to eth1 with a DHCP in between, so clients will get their IP address and are able to browse, but as soon as I turn on openVPN, the clients can't access internet anymore.

To illustrate what I want, this might help:
Drawing

How to achieve this?

Best Answer

I presume you are NATting your system via iptables, with something like:

   iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
   iptables --append FORWARD --in-interface eth1 -j ACCEPT

This is nearly right, all you have to do is to change the first one to:

   iptables --table nat --append POSTROUTING --out-interface tun3 -j MASQUERADE

and now all of your traffic will go through the OpenVPN.

Related Solutions

Linux – Tunnel specific traffic through OpenVPN

There is a problem with your curl-test, which I know how to solve, and a problem with your scheme at large, to which I can suggest a solution.

curl cannot possibly work this way: after starting the VPN, there is no gateway defined on that interface (eth0): the eth0 NIC has an IP address, and can reach your LAN, but there is no gateway from which the internet, and icanhazip.com in particular, can be reached. For curl to work this way, you will have to instruct your kernel that the specific route to 216.69.252.101 (icanhazip.com) is through the eth0 interface:

   ip ro add 216.69.252.101 via your_home_routers_IP_address

Now the curl call will work as you wish.

If you want to communicate both through the VPN and outside it on a stable, complete basis, the correct way to proceed is to install a second routing table by means of policy based routing. You can find a good and concise introduction to the topic by David Schwartz on a sister-site, here. The reason why you need this contraption is that you are envisioning a system with two distinct gateways, which are not allowed unless of course there are two distinct routing tables.

Now, in order to accomplish your goal, i.e., to route packets along different routes according to user identity, you will have to set appropriate rules that select the relevant routing table. So let us suppose you now have two tables, called vpn and novpn. You will have first to use the mangle table of iptables to mark the packets according to user identity, and then supply rules for policy based routing according to the the presence (or absence) of the said mark.

It could work like this:

  iptables -t mangle -I OUTPUT -m owner --uid-owner some-user -j MARK --set-mark 100
  ip rule add fwmark 100 table vpn

for a user destined to use vpn, and

  iptables -t mangle -I OUTPUT -m owner --uid-owner some-other-user -j MARK --set-mark 300
  ip rule add fwmark 300 table novpn

for those you want to route outside the VPN. Also, it is always best to set a routing table for anything else, i.e., a default. Hope this helps.

Debian – Route internet traffic from openvpn tun0 to eth0

You also need to set up a policy routing table that tells Linux to use the default gateway behind eth0 for VPN users.

So, you would create a new routing table for packets where source IP address is in 192.168.200.0/24, and make the default gateway for that routing table the default gateway behind eth0.

Best Answer

Related Solutions

Linux – Tunnel specific traffic through OpenVPN

Debian – Route internet traffic from openvpn tun0 to eth0

Related Question