Routing a subnet to the internet

Question

Routing Internet traffic through computer on another subnet

I have 2 debian boxes and would like to use one of them as a vpn server, and the other as a client. The goal is for the client to access the internet through the server's internet connection. In other words:

client(encrypted packets) ---> ISP1 ----> ISP2 ----> server(decrypts packets) ---->ISP2

and the opposite for responses.

I have setup my TUN devices and can ping across. So this seems to be a routing problem.

client# route -n
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlp1s0
0.0.0.0         0.0.0.0         0.0.0.0         U     1002   0        0 enp2s0
10.0.0.0        10.4.0.1        255.255.255.0   UG    0      0        0 tun1
10.4.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 enp2s0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wlp1s0

Obviously, currently internet requests are routed through 192.168.1.1. However, If I set my Mozilla Firefox's proxy setting to 10.0.0.0, nothing is accessible. traceroute 10.0.0.0 just shows 1 hop.

server# route -n
0.0.0.0         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
10.0.0.0        10.4.0.2        255.255.255.0   UG    0      0        0 tun1
10.4.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

What is missing?

"If I set my Mozilla Firefox's proxy setting to 10.0.0.0" why did you think that would work? — womble, Oct 17 '17 at 09:09
@womble because I read this line `10.0.0.0 10.4.0.1 255.255.255.0 UG 0 0 0 tun1` as "all packets to 10.0.0.0/24 are rerouted to 10.4.0.1/32". — Vorac, Oct 21 '17 at 05:52

score 0 · Answer 1 · answered Oct 15 '17 at 19:27

That will require both new routes and firewall to help you let client access Internet through server.

Assume the VPN connection is used to connect client to server and the VPN subnet between client and server is peer to peer and the subnet id : 10.40.0.0.

You need to change the default gateway for client with following static route to make it forward all non-local traffic to server:

ip route change default via 10.4.0.2

On the mean time, you need to make a NAT rule on server's firewall policy so that all Internet facing traffic will be taken as originated from server itself. Assume the Internet facing network interface is eth0, the NAT rule is like following:

iptables -t nat -A POSTROUTING -s 10.4.0.0/24 -o eth0 -j MASQUERADE

Hope this can help.

Routing a subnet to the internet

1 Answers1