1

I am trying to set up my RP3 in such a way that WiFi connections are routed over an L2TP VPN. I've got the VPN working and with the following settings all traffic is routed over the VPN connection (ppp0 is the VPN tunnel device):

route add VPN_PUBLIC_IP gw 192.168.1.1
route add default dev ppp0

However, as my title suggests, I want ONLY the WLAN traffic to be routed over the VPN connection. How do I achieve this? Below you will find some other settings that might help.

ifconfig:

root@raspberrypi:/home/pi# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.110  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::966b:f8b2:31f3:89c9  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:f0:e4:76  txqueuelen 1000  (Ethernet)
        RX packets 151  bytes 13560 (13.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 132  bytes 20723 (20.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1280
        inet 192.168.42.10  netmask 255.255.255.255  destination 192.168.42.1
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 4  bytes 70 (70.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 64 (64.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.220.1  netmask 255.255.255.0  broadcast 192.168.220.255
        inet6 fe80::36c5:7f74:7936:c953  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:a5:b1:23  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 44  bytes 7290 (7.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

route:

root@raspberrypi:/home/pi# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    202    0        0 eth0
link-local      0.0.0.0         255.255.0.0     U     303    0        0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.42.1    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.220.0   0.0.0.0         255.255.255.0   U     0      0        0 wlan0

ip route:

default via 192.168.1.1 dev eth0 src 192.168.1.110 metric 202 
169.254.0.0/16 dev wlan0 proto kernel scope link src 169.254.51.90 metric 303 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.110 metric 202 
192.168.42.1 dev ppp0 proto kernel scope link src 192.168.42.10 
192.168.220.0/24 dev wlan0 proto kernel scope link src 192.168.220.1

Any suggestions would be much appreciated!

Diederik
  • 111
  • 4

1 Answers1

0

You could setup a separate routing table and pick it with a "rule":

Different set of routes

One-time setup: pick a name for the routing table and assign a unique name

echo "1 wlanvpn" > /etc/iproute2/rt_tables.d/wlanvpn.conf

(If there is no /etc/iproute2/rt_tables.d/ directory you need to append to /etc/iproute2/rt_tables)

On every boot (e.g. as pre-up for the wlan0 interface)

ip rule add iif wlan0 table wlanvpn
# in case the vpn is not up the route might not exist,
# blackhole by default with high metric
ip route replace to blackhole default table wlanvpn metric 4095
ip route replace default dev ppp0 table wlanvpn

If you want to reach other networks from wlan0 you have to clone the routes to this table (e.g. for eth0: ip route add 192.168.1.0/24 dev eth0 table wlanvpn).

The output of ip rule show should now read:

0:      from all lookup local
32765:  from all iif wlan0 lookup wlanvpn
32766:  from all lookup main
32767:  from all lookup default

For IPv6 all ip rule and ip route commands need to be duplicated with ip -6 ... (32767: from all lookup default is not present by default in ip -6 rule).

Different default routes

As an alternative you could specify only different default routes (so the manual routed "internal" networks) are still reachable from the VPN without having to clone the routes:

One-time setup: pick a name for the routing table and assign a unique name

echo "10 default-vpn" > /etc/iproute2/rt_tables.d/default-routes.conf
echo "11 default-normal" >> /etc/iproute2/rt_tables.d/default-routes.conf

On every boot (e.g. as pre-up for the wlan0 interface)

ip rule add pref 32768 iif wlan0 lookup default-vpn
ip rule add pref 32769 lookup default-normal
ip route replace to blackhole default table default-vpn metric 4095
ip route replace default dev ppp0 table default-vpn
# move your normal default route (from table main) to table default-normal, e.g:
ip route replace default via 192.168.0.1 table default-normal
ip route delete default table main

The output of ip rule show should now read:

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
32768:  from all iif wlan0 lookup default-vpn
32769:  from all lookup default-normal
Stefan
  • 859
  • 1
  • 7
  • 18