port redirection through a VPN

Question

I would like redirect my tcp traffic to IRC throught a VPN.

I mark the packets with iptables and create a new route for this packets:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter

iptables -t mangle -A OUTPUT ! -d 192.168.0.0/16 -p tcp --dport 6667 -j MARK --set-mark 0x42

ip route add default dev tun0 src 10.5.82.5 table VPN
ip rule add fwmark 0x42 table VPN

The VPN connection:

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:10.5.82.5  P-t-P:10.5.82.6  Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2898 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3163 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          RX bytes:159644 (155.9 KiB)  TX bytes:257601 (251.5 KiB)

The packets are redirected to tun0 on the local machine (iptables tagging and the ip rule are ok) but no packet arrive on the tun0 interface of the VPN.

Have you an idea?

Thank's in advance.

I'm not too familiar with VPN tunnels, but I wonder if there is an error in your rule? Typically, my VPN tunnels have the same address as tunnel IP and peer IP. However, your tunnel has a separate peer IP. Is it not the case that that IP should be named in the default route? That it, shouldn't you do `ip route add default via 10.5.82.*6* dev tun0 table VPN`? — Bittrance, Dec 19 '11 at 21:12
I'm not familiar with routes. I also try 10.5.82.6, 10.5.82.1 (the IP of the VPN) and default (`ip route add table VPN default dev tun0`) without success. — Sanpi, Dec 19 '11 at 21:35
Note that depending on exact circmstances `ip route flush cache` may help if you try to fiddle with routes. — Bittrance, Dec 19 '11 at 23:37

score 1 · Accepted Answer · answered Dec 19 '11 at 21:41

If your IRC traffic originates at the same host you created the rules at, you might be seeing the problem of the "wrong" source IP address on your outgoing packets - check whether the source address is 10.5.82.5 using tcpdump -i tun0 -v -n. If it is not, just append src 10.5.82.5 to your ip route add command.

If the traffic originates elsewhere, consider a NAT rule: iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Also, your route should go via 10.5.82.6 (the remote gateway IP address), not your local interface. Although it should work in any case since it is a P-t-P interface, it does not feel right. When adding the route via script, you might simply omit the "via" parameter and just use dev tun0. This works with P-t-P interfaces since there is no ambiguity about which host to contact at the other side of the link.

My new rule: `ip route add default dev tun0 src 10.5.82.5 table VPN` but the source address is always 192.168.0.0 — Sanpi, Dec 19 '11 at 22:42

score 0 · Answer 2 · answered Dec 19 '11 at 21:20

0

Use OpenVPN's redirect-gateway option to automatically redirect default gateway to VPN, without manually playing with route and iptables.

answered Dec 19 '11 at 21:20

Stone

7,011
1
21
33

redirect-gateway redirect all traffic, I want to redirect one port. – Sanpi Dec 19 '11 at 21:39

port redirection through a VPN

2 Answers2