1

I need route traffic to some host in Internet via VPN server.

Configuration:

Computer: ubuntu-12.04

eth0 - x.x.x.x/24

tun0 - inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255

There is OpenVPN server (Amazon):

ubuntu-12.04

eth0 - y.y.y.y/24

tun0 - inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255

There is host in Internet IP: q.q.q.q

I want to traffic to q.q.q.q went throw OpenVPN server. For this I do:

iptables:

I mark packets in table mangle: 

sudo iptables -t mangle -A OUTPUT -d q.q.q.q -j MARK --set-mark 2

I send traffic to q.q.q.q throw tun0: 

sudo iptables -t nat -A POSTROUTING -d q.q.q.q -j SNAT --to-source 10.8.0.6

iproute2:

I make table "100" in /etc/iproute2/rt_tables

sudo ip rule add fwmark 2 table 100
sudo ip route add default via 10.8.0.5 table 100

tcpdump on 1st computer:

14:22:04.554399 IP 10.8.0.6 > q-q-q-q.clodo.ru : ICMP echo request, id 11717, seq 1, length 64

14:22:04.681918 IP q-q-q-q.clodo.ru > 10.8.0.6 : ICMP echo reply, id 11717, seq 1, length 64

14:22:05.562577 IP 10.8.0.6 > q-q-q-q.clodo.ru : ICMP echo request, id 11717, seq 2, length 64

14:22:05.690240 IP q-q-q-q.clodo.ru > 10.8.0.6 : ICMP echo reply, id 11717, seq 2, length 64

But there is no ping. 2 packets transmitted, 0 received, 100% packet loss..

mik-mak
  • 11
  • 2

1 Answers1

1

You don't need to mark the packets, To do what are planing to you need the following

in the server config file add the following: 

"push route q.q.q.q 255.255.255.255"

The above will push the route to the client side so all the traffic sent from the client to that ip will be sent through the openvpn tunnel.

Also at the server side you need to accept the incomming traffic from the client, you can accept all the traffic comming from the client subnet as following 

iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT

you might also need this not sure:

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

You need to nat the comming traffic from client to server side [do this on the server side]

iptables -t nat -A POSTROUTING -d q.q.q.q -j SNAT --to-source PUBLIC_IP_OR_YOUR_VPN_SERVER

And you don't need iproute2 or mangle table.

The order of the rules matter, so please them before a matching drop rule

MohyedeenN
  • 1,063
  • 1
  • 12
  • 15
  • Thank you for answer! But this is only one case, I need global case: for example, I need send only SSH-traffic throw OpenVPN server, or SMTP traffic. So I need mark required traffic, but other traffic send via default gateway. – mik-mak Dec 18 '13 at 09:18
  • Yes in this case you need mark packets on the client site :). – MohyedeenN Dec 18 '13 at 09:25
  • Yes, in this sample I do this, but for destination case for simple PING-test. I did this for tcp:22 -> effect is the same! – mik-mak Dec 18 '13 at 09:44
  • Maybe, this problem is detected only on Linux systems (not for BSD systems)? Can somebody test this? – mik-mak Dec 24 '13 at 10:15