Configure VPN Gateway on Ubuntu VM

Question

First of all, my understanding on the subject is very limited. Im trying to use an Ubuntu VM as a VPN Gateway for my other devices on the same network. The VPN uses the Cisco Anyconnect VPN Client.

The network configuration is as follows:

A TP-Link router that is connected to the "internet", works as the default gateway with the IP address 192.168.0.1. The VM should now work as the default gateway for the other devices with the IP 192.168.0.104.

When the client establishes the connections, the iptables on the VM look like this:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ciscovpn
-N ciscovpnfinal
-N ciscovpnfw
-A INPUT -j ciscovpn
-A INPUT -j ciscovpnfw
-A INPUT -j ciscovpnfinal
-A FORWARD -j ciscovpn
-A FORWARD -j ciscovpnfw
-A FORWARD -j ciscovpnfinal
-A OUTPUT -j ciscovpn
-A OUTPUT -j ciscovpnfw
-A OUTPUT -j ciscovpnfinal
-A ciscovpn -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ciscovpn -o lo+ -j ACCEPT
-A ciscovpn -i lo+ -j ACCEPT
-A ciscovpn -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A ciscovpn -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ciscovpn -p udp -m udp --sport 546 --dport 547 -j ACCEPT
-A ciscovpn -p udp -m udp --sport 547 --dport 546 -j ACCEPT
-A ciscovpn -s 192.168.0.104/32 -d 193.175.213.80/32 -o enp0s3 -p tcp
-m tcp --dport 443 -j ACCEPT
-A ciscovpn -s 193.175.213.80/32 -d 192.168.0.104/32 -i enp0s3 -p tcp
-m tcp --sport 443 -j ACCEPT
-A ciscovpn -s 192.168.0.104/32 -d 193.175.213.80/32 -o enp0s3 -p udp
-m udp --dport 443 -j ACCEPT
-A ciscovpn -s 193.175.213.80/32 -d 192.168.0.104/32 -i enp0s3 -p udp
-m udp --sport 443 -j ACCEPT
-A ciscovpn -i cscotun0 -j RETURN
-A ciscovpn -s 10.60.38.146/32 -o cscotun0 -j RETURN
-A ciscovpn -j DROP
-A ciscovpnfinal -j ACCEPT

The VM has the interface enp0s3 that has access to the LAN network. The interface cscotun0 is the interface created by the VPN client to access the internet. To create the gateway I tried following commands taken from this tutorial:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -A FORWARD -o cscotun0 -i enp0s3 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE

However, the VM is still unreachable by the other devices in my network 192.168.0.0/24. Before establishing a connection with the VPN client I can send ping commands from the host machine to the VM. After the connection establishes, the VM becomes unreachable. I fail to deeply understand those rules that are created by the VPN client.

@djdomi the tunnel has the subnet with mask 255.255.252.0 in the ip address 10.60.38.146 — Sebastian Ampuero Morisaki, Nov 05 '19 at 14:16
my give a try for `iptables -t nat -A POSTROUTING -s '10.0.0.0/8' -o ens3 -j MASQUERADE` where ens3 is the vpn tunnel device — djdomi, Nov 05 '19 at 19:14

Configure VPN Gateway on Ubuntu VM

0 Answers0