How to forward traffic to VPN device

Question

I have set-up OpenWRT in a virtual machine which acts as a router. It has two network interfaces:

br-lan: connected to vm internal network
eth1: connected to internet through host via NAT

I have also set-up a DamnSmallLinux (DSL) VM which has one network interface:

eth0: connected to vm internal network

This set-up means DSL connects to the internet through OpenWRT.

Now, OpenWRT creates a tun device connected to a VPN:

/*tun device on OpenWRT*/
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.130.3.45  P-t-P:10.128.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:494 errors:0 dropped:0 overruns:0 frame:0
          TX packets:494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:41496 (40.5 KiB)  TX bytes:41496 (40.5 KiB)

I can test if I am connected to the VPN by pinging the vpn gateway10.128.0.1:

/*Ping VPN on OpenWRT*/
PING 10.128.0.1 (10.128.0.1): 56 data bytes
64 bytes from 10.128.0.1: seq=0 ttl=64 time=12.364 ms
64 bytes from 10.128.0.1: seq=1 ttl=64 time=13.326 ms

By default, DSL cannot ping 10.128.0.1.

If I add the following rule to OpenWRT's firewall, then DSL can ping 10.128.0.1

/*Zone rule for VPN, enables DSL to ping 10.128.0.1*/
config zone                                     
        option input 'ACCEPT'                   
        option forward 'REJECT'                 
        option output 'ACCEPT'                  
        option name 'vpn'                       
        option masq '1'                         
        option network 'VPN'

I now want to route all traffic from DSL through the VPN but I don't know what to do. I have tried adding the following route to the /etc/config/network file on OpenWRT:

/*Directs all traffic to tun0 but VPN does not reply.*/
config route                                   
        option interface 'VPN'                 
        option target '0.0.0.0'                
        option netmask '0.0.0.0'               
        option gateway '10.128.0.1'

When I do a tcpdump of tun0 after adding this route, it does appear indeed that all the traffic is being directed to the VPN, the problem is that I don't get any replies from it.

Does anybody have any idea of how to properly forward all the traffic to the VPN?

Edit

OpenWRT ifconfig:

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 08:00:27:0E:CF:19  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd93:d43b:534d::1/60 Scope:Global
          inet6 addr: fe80::a00:27ff:fe0e:cf19/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:130 errors:0 dropped:0 overruns:0 frame:0
          TX packets:139 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10392 (10.1 KiB)  TX bytes:15306 (14.9 KiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:0E:CF:19  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:152 errors:0 dropped:0 overruns:0 frame:0
          TX packets:140 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14368 (14.0 KiB)  TX bytes:15632 (15.2 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:78:6B:EE  
          inet addr:10.0.3.15  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe78:6bee/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:246 errors:0 dropped:0 overruns:0 frame:0
          TX packets:275 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:33158 (32.3 KiB)  TX bytes:32283 (31.5 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:65 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5164 (5.0 KiB)  TX bytes:5164 (5.0 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.130.3.45  P-t-P:10.128.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:57 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:4788 (4.6 KiB)  TX bytes:4788 (4.6 KiB)

Olivier Dulac · Answer 1 · 2013-12-16T16:47:49.730

The OpenWRT has all the interfaces it needs (and thus the route) to be able to ping the remote gw (10.128.0.1). And it seeme the VPN replies back. good.

Now, on the DSL, you need to add a route : 10.128.0.X/24 (or 10.X/8 ? depends what you have setup on the remote... adjust as needed), with gateway 10.130.3.45 (ie, the OpenWRT, which is the "gateway" you need to go through to reach the 10.128.x network). A lan can only acces another LAN by going through a gateway, using that gateway's LAN ip, as it's the only thing a local machine can access: any ips on its (one or many) LANs. It seems you directly put the remote IP on the DSL, but the DSL doesn't know how to reach it. It probably by default send it to its "default gateway", which could be a internet router or anything, but apparently not the OpenWRT (or at least not the OpenWRT 10.130.3.45 interface, the one which gateways to the 10.X net)

I may have read diagonally.

But in a nutshell:

place yourself in the packet, and act as if you want to reach the destination, hop by hop:
you need to find the "closest" route (or, if none, take the default route) to go to the next hop.
Proceed like this hop by hop (forward, and also backwards), and you'll soon find which of the hop doesn't have the necessary step to reach the next hop (or maybe goes to a wrong hop)

ie:

I'm a ping packet sent from DSL. my source is DSL-ip. My destination is a.b.c.d (10.128.0.1, I guess).
I look at the ROUTE table, and choose the destination that most precisely fit a.b.c.d (ie, between 0.0.0.0/0 (defautl gw) , 10.0.0.0/8 (with gw 10.130.3.45) and a special 10.128.0.x (with gw 10.120.3.45), I chose the latest as it's a more precise fit, ie more "bits" match my destination).
So I take that route, and go to 10.130.3.45. (if my local firewall allows it)
Now I'm a ping packet with source "...." (could change because of SNAT), and destination "....." (could change with DNAT). And I look at the routing table...

You'll of course also need forward iptables to allow you to proceed to the next hop (and with rules that establish connections, allowing thus the reply packets to come back too.

Don't allow both directions, it would open your LAN to anything incoming from the VPN instead of just the established connections!) – Olivier Dulac just now edit

Thanks for the informative reply. From what your telling me, the route I have added, "`/*Directs all traffic to tun0 but VPN does not reply.*/`", matches all requests sent from DSL and passes them to the VPN device, the problem is now that the VPN doesn't reply to these requests. I am guessing this is because the VPN knows that they did not originate from the host of the VPN (OpenWRT). Do you think this is the case? — TomSelleck, Dec 16 '13 at 17:41
@Tomcelic: continuing the same way, on the destination host: does that host knows that DSL-ip is reachable through the destination-side vpn gateway? if not, add a route. Or (and it's probably better if you only vpn from DSL-side to the other side) : just add SNAT-ing on the OpenWRT VPN ip, so that packets going through it take that VPN's ip too, and therefore other side can reply to them — Olivier Dulac, Dec 17 '13 at 09:22

How to forward traffic to VPN device

1 Answers1