Route all wlan0 traffic over tun0

Question

I'm looking for a way to route all wlan0 traffic (tcp and udp) over tun0 (openvpn).

However, all other traffic originating from the device itself should not be routed through tun0.

I'm guessing this could be realized using iptables or route, but none of my options seem to work.

# route add -net 0.0.0.0 gw 172.27.0.1 dev wlan0
SIOCADDRT: No such process

Info: This is because the VPN server is not redundant, and wlan users are not really important. However, all services running on the device are fairly important and having a VPN virtual machine with no SLA on it is just a bad idea. Trying to minimize the odds of something going wrong. So setting the VPN server as default gateway is not really an option. I also want all wlan0 user to use the VPN server's IP address as external IP.

Edit with the script provided:

root@ft-genesi-xxx ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.27.0.17     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.13.37.0      0.0.0.0         255.255.255.0   U     0      0        0 wlan0
172.27.0.0      172.27.0.17     255.255.192.0   UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
root@ft-genesi-xxx ~ # ./test.sh 
RTNETLINK answers: No such process
root@ft-genesi-xxx ~ # cat test.sh 
#!/bin/sh
IP=/sbin/ip
# replace with the range of your wlan network, or use fwmark instead
${IP} rule add from 10.13.37.0/24 table from-wlan
${IP} route add default dev tun0 via 127.72.0.1 table from-wlan
${IP} route add 10.13.37.0/24 dev wlan0 table from-wlan

score 2 · Answer 1 · answered Feb 25 '12 at 19:50

2

I believe this should get you going:

/usr/sbin/ip route add default via 172.27.0.17 dev tun0 table 200
/usr/sbin/ip rule add from 10.13.37.0/24 table 200
/usr/sbin/ip route flush cache

This is exactly what I did within my setup here. The only difference is I wanted to route a single host (/32) instead of a whole network (/24).

answered Feb 25 '12 at 19:50

Laurence

139
4

Doesn't seem to be working. It's already complaining on the first line a similar route already exists. – Tuinslak Feb 27 '12 at 15:05
@Tuinslak Can you post the output of `ip route show` and `ip rule show`? – Laurence Feb 29 '12 at 04:50
here it is: http://pastebin.com/PQhthuuU (sorry for the late reply, I was abroad) – Tuinslak Mar 20 '12 at 12:01

user111506 · Answer 2 · 2012-02-22T06:35:29.903

0

Define in /etc/iproute2/rt_tables

 # I use 200, use a free number:
 200 from-wlan

and then run:

#!/bin/sh
IP=/sbin/ip
# replace with the range of your wlan network, or use fwmark instead
${IP} rule add from 192.168.0.0/24 table from-wlan
${IP} route add default dev tun0 via x.y.z.z table from-wlan
${IP} route add 192.168.0.0/24 dev wlan0 table from-wlan

This will send all traffic from 192.168.0.0/24 to tun0, except traffic to 192.168.0.0/24. Add "via x.y.z.z" if you want to specify a next-hop

edited Feb 22 '12 at 06:35

answered Feb 21 '12 at 22:34

user111506

1
1

Via doesn't work (see first post); and not adding that doesn't seem to route my traffic through tun0. – Tuinslak Feb 21 '12 at 23:46
Actually running the script kills all networking on wlan0 (not getting any dhcp anymore, unable to ping the router, etc) – Tuinslak Feb 22 '12 at 00:02

score 0 · Answer 3 · answered Mar 01 '12 at 13:21

I think this is not doable without either having a TAP interface for the VPN or making ft-genesi-xxx act as a gateway for the WLAN.

If you can use a TAP interface:

##on ft-genesi-xxx:
echo 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp
iptables -t nat -A PREROUTING -i wlan0 -p tcp -j DNAT --to-destination 172.27.0.1
iptables -t nat -A PREROUTING -i wlan0 -p udp -j DNAT --to-destination 172.27.0.1

##on the vpn-server 172.27.0.1 machine:
#replace tapX with the interface the openvpn server uses
/usr/sbin/ip route add 10.13.37.0/24 dev tapX

If you want to use a Gateway, then you need to use Bridging like this [1] and use the iptable rules above so you don't have to set a default route for the whole system.

[1] http://tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO-3.html

More than one machine will be connected through the VPN and route its traffic through the VPN server. So I dont think a tap interface is an option. — Tuinslak, Mar 20 '12 at 12:04
As for the gateway, could you tell me which two interfaces that have to be bridged? — Tuinslak, Mar 20 '12 at 12:04

Route all wlan0 traffic over tun0

3 Answers3