2

I have the following setup:

++++++++++++++++++
+ OpenVPN server +........ . .  .   .   (cat pictures)  
++++++++++++++++++
  |
  |
__|__________________________________________Internet________________
  |                                           Local
  | DSL
  |
++++++++++++++++++             +++++++++++++++++++
+ router1        +  Ethernet   + router2         +
+ DHCP serving   +-------------+ DHCP serving    +
+ 192.168.1.1/24 +        eth0 + 10.0.0.1/24     +
++++++++++++++++++             + OpenVPN client  +
  .                            + hostapd/dnsmasq +
  .                            +++++++++++++++++++
  .                              . wlan0
  .                              .
  .  WLAN 1                      .  WLAN 2
  .                              .
 (wifi clients 1)                (wifi clients 2)

The intention of this is to have a seperate WLAN 2 to which wifi clients can connect to and get all their traffic to the internet routed through the OpenVPN connection of router2.

router2 runs a hostapd instance with a fairly minimal setup on interface wlan0. dnsmasq.conf is also pretty minimal with:

interface=wlan0
dhcp-range=10.0.0.1,10.0.0.254,12h
no-host

This runs fine. I can connect to the wifi and get assigned an IP address.

OpenVPN is setup and working as well. I'm connecting to a commercial VPN service, so server config is not under my control. OpenVPN is using tun0.

How can I route all request to the internet from wifi clients 2 through the established OpenVPN connection on router2? I'm guess I have to setup the routing table now, but how?

route says:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.200.4.1      128.0.0.0       UG    0      0        0 tun0
default         router1         0.0.0.0         UG    0      0        0 eth0
10.0.0.0        *               255.0.0.0       U     0      0        0 wlan0
10.200.4.0      *               255.255.252.0   U     0      0        0 tun0
<vpn server ip> router1         255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.200.4.1      128.0.0.0       UG    0      0        0 tun0
link-local      *               255.255.0.0     U     1002   0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
Secoe
  • 303
  • 2
  • 8
  • If you want to change the title, go ahead! Couldn't think of anything better. – Secoe May 30 '13 at 23:20
  • 1
    Do you already have OpenVPN setup? What do you have for configs on your OpenVPN server and client? What does the route table currently look like on router 2? Iptables is a filter, it is used to stop traffic from flowing, I am not sure why you are asking about iptables. – Zoredache May 30 '13 at 23:52
  • You're probably right. I corrected it and added the route table. I think I had iptables in mind to stop any traffic from 'leaking'. – Secoe May 31 '13 at 00:03
  • Right now it sure looks like everything should already be going through the VPN, except for local network access. The `0.0.0.0/1`, and `128.0.0.0/1` routes should basically be catching everything, and those are related to the VPN interface. Are you sure this isn't already working? If you do a traceroute from the client to 8.8.8.8 or something doesn't it leave via the VPN? – Zoredache May 31 '13 at 00:10
  • traceroute 8.8.8.8 goes to 10.0.0.1 and goes to * forever. – Secoe May 31 '13 at 00:17

2 Answers2

4

Has the OpenVPN server been setup to route the 10.0.0.1/24 network to router2? What happens if the OpenVPN server pings 10.0.0.1?

If you want hosts on the other side of the VPN to have the ability to making incoming connections then you will need to fix your VPN server.

If this is only outbound traffic, then you probably need to setup NAT. So packets from the 10.0.0.0/24 network appear to come from the VPN interface.

A rule like iptables -t nat -A POSTROUTING -o tun1 -j SNAT --to-source 10.200.4.1

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • This did the trick: obviously I had to enable ipv4 forwarding together with `iptables -t nat -A POSTROUTING -o tun1 -j SNAT --to-source `. Thank you very much. This is by the way my use for a raspberry pi, now I only have to switch wifis for a VPN tunnel and can give out wifi keys to relative strangers knowing that it routes into another legislation. great. – Secoe May 31 '13 at 02:22
1

You define a separate routing table in /etc/iproute2/rt_tables, let's call it wlan2 (number doesn't matter).

# in this routing table: send everything over the VPN
ip route add table wlan2 $vpn_remote_ip dev tun0
# next line(s) for all LAN networks (which shall be reachable from WLAN 2)
ip route add table wlan2 192.168.1.1/24 via $router1_ip
ip route add table wlan2 $router1_router2_network dev eth0 src $router2_ip

ip route add table wlan2 default via $vpn_remote_ip

# use routing table wlan2 (instead of main) for every packet coming from the WLAN
ip rule add iif $wlan_if priority 100 table wlan2

And, of course, you must configure the OpenVPN server for routing to the WLAN network (if you don't do NAT in the local router).

Edit 1:

If all Internet traffic is supposed to go through the OpenVPN server then the configuration becomes very easy. As there already is a host route for the OpenVPN server you only have to change the default route from router1 to the OpenVPN server's tunnel IP.

Hauke Laging
  • 5,285
  • 2
  • 24
  • 40
  • Not sure an additional table really is needed here. You may be making this more complex than it needs to be. But the question isn't entirely clear to me yet, so I am not sure. – Zoredache May 31 '13 at 00:12
  • @Zoredache You would be right if **all** Internet traffic (e.g. locally generated packets) was supposed to go through the OpenVPN server. But if only the WLAN traffic shall be routed this way: I am curiously awaiting your simple alternative... – Hauke Laging May 31 '13 at 00:20
  • Ok. Let's clarify. No problem with going all traffic through vpn for the beginning. – Secoe May 31 '13 at 00:20
  • @SecOe See edit. – Hauke Laging May 31 '13 at 00:24
  • `route add default gw eth0`? Gives SIOCADDRT: Network is unreachable. – Secoe May 31 '13 at 00:41
  • @SecOe There are one or two errors. Is the official (Internet) IP? You need the private tunnel IP there. And the interface to use is `tun0`, not `eth0`. Of course, the OpenVPN servers's IP is not reachable via eth0. – Hauke Laging May 31 '13 at 00:53
  • No luck yet. Something's missing. Gonna try it tomorrow again, thanks for your help. I'll accept your answer later if nothing else shows up. – Secoe May 31 '13 at 01:28
  • @SecOe If you want help you need be a bit more precise than "No luck yet"... – Hauke Laging May 31 '13 at 11:43