0

I have a virbr0 interface, created by libvirt with

inet 10.1.2.1  netmask 255.255.255.0  broadcast 10.1.2.255

There's an active IPSec tunnel with

leftsubnet=10.1.2.0/24
rightsubnet=192.168.160.0/20

The VMs are able to reach 192.168.160.0/20 but now I would like the VMs to have all their traffic redirected to 192.168.168.254 instead of using the default gateway of the machine.

I thought I could use something like this:

iptables -t nat -A PREROUTING -i virbr0 -d 0.0.0.0/0 -j DNAT --to-destination 192.168.168.254

but that does not work. Am I missing something or am I using the wrong approach?

Thanks!

Jochen
  • 137
  • 1
  • 8

1 Answers1

0

I am assuming here that your VMs have IPs inside the 10.1.2.0/24 subnet, otherwise it should be obvious why it doesn't work.

Lets assume your VM wants to open a connection to the website example.org. With your above statement, you redirect this connection attempt to the router inside the 192.168.160.0/20 subnet, which obviously has no idea about the website example.org.

First, you would need routing for this, not DNAT (to preserve the IP which must be reached!). Second, you obviously misunderstood how IPsec tunnels work: Only the agreed subnets are allowed through the ipsec tunnel. Which means: the VM trying to open website example.org opens a connection to its resolved IP, lets say this would be IP 1.2.3.4. The connection comes from the left side, so this IP must be inside one of the right subnets. Since it is not, it cannot go through the IPsec tunnel.

If you want to route all traffic through a tunnel, you need a different kind of VPN for this!

Martin
  • 2,194
  • 7
  • 16