Share VPN with ethernet interface
Running Ubuntu 18.04 LTS. Looking to share VPN connection (OpenVPN over wifi) with an ethernet interface, using gnome.
Use case is: a laptop connects to unsercure wifi, establishes VPN tunnel, the VPN is then shared with an Ethernet interface, upon which I connect a DD-WRT router (double-nat, obviously) that supplies secure wifi/ethernet to clients. The reason for using a laptop with a real OS for the gateway is to handle captive portals via browser (as many hotels do). This setup makes it impossible for the clients' traffic to leak over the gateway wifi since only the VPN connection is shared (not the base wifi). If VPN drops, the clients have no connectivity at all. Easy enough to do under macos with l2tp. Is there a reasonably simple way to do this from the gnome GUI? It took me hours trying to get just the L2TP+IPsec tunnel to work and finally gave up. I am using OpenVPN now, but I can't find a way of sharing the OpenVPN connection specifically, just the wifi, which would fall to insecure if the tunnel ever dropped, exposing the client traffic. I'm a new user, I'm sure there is a way to do this with CLI, but I much prefer a simple GUI method if it exist.s |
i think you are looking at this wrong. i think you need to masquerade the connection not share it. you would do that via your firewall...ie create it into a router.
|
Quote:
I think that might be what this poster is doing? (Albeit with a lot more CLI-ninjary than I am comfortable with at the moment) https://askubuntu.com/questions/9261...ther-lan-users As a fall-back, if I can't get the OS to cut feed to the router when the VPN drops (should maybe have mentioned that the intent was for the laptop's ethernet to be connected to the WAN port of the router, feeding it the shared VPN connection established over wifi), then I'll try to build that functionality direct in the router. I think DD_WRT supports OpenVPN as a client and a simple firewall rule can set up an "internet kill switch" if it drops. I used to do this with a less capable router, hence using the laptop OS functionality for establishing/sharing the VPN and being the kill-switch. |
masquerading is a term used in networking. it basically means sharing an internet connection. to do that, you set that up via your firewall. i searched on the duckduckgodotcom,
Code:
configure ufw masquerade vpn connection ufw vpn masquerade essentially you have 3 connections, the 2 physical ethernet devices and the vpn named something like tun0. you have tun0 set to use eth dev 1 which is part. now you need to masquerade tun0 (the vpn) and set up a ip server (dnfmasq or dhcp server). those are the elements you need to set this up. you need to just finish the last two parts. so the firewall will share the vpn connection allowing others to use it and the dhcp will serve ips to devices that want to connect. |
I wouldn't do this with a laptop; I think you're better off doing it with whatever router/AP you're going to run dd-wrt on.
Have it run 2 SSIDs, eg one called "setup" or similar, which is bridged to a VLAN/subnet with NAT/passthrough (as "normal") which you can connect to in order to deal with the captive portal. Once that has been sorted, since the traffic from whatever device you used to authenticate with the portal was being masqueraded, the dd-wrt router will then be able to connect out itself, in order to bring up an OpenVPN client. After that, bridge the secondary SSID eg "secure" with the OpenVPN client interface, and then connect your devices to that SSID. If the VPN goes down, traffic will stop, as that SSID/VLAN/subnet can only route through the VPN interface. There is some info on setting up multiple SSIDs/VLANS/subnets with bridging here: https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs |
Quote:
I like it. It would reduce how much dedicated hardware is needed, provided my DDWRT router has enough radios to manage it all, and the processor can keep up with the VPN (something I'm not convinced it can do after some fiddling with it today). I still need a "burner" device that I don't mind exposing to the hotel network, if only briefly, but if I go all-in I could probably do it with VM. After messing with the DD a bit today, I don't wonder if it might be a bit fussier to get working and/or troubleshoot on the road though when it hiccups. When I do this in MacOS, it is pretty dead simple. The setup in Linux is proving more complicated, but at least when things are glitching it's easy enough to investigate whats going on and reset things. The router is a bit more opaque in that regard. |
Have you thought of bridging the ethernet and vpn connections? If you want to go that route, here is my client config:
client.conf Code:
### Client configuration file for OpenVPN up Code:
#!/bin/bash Code:
#!/bin/bash |
Quote:
Bridging is where I thought I might go with this, since that's the one option that seems to get some treatment in the GUI, but I'll have to think through my options a bit, and pick something that I'm confident I will know how to reverse, in case it all gets bungled up. It's clear now that it won't be a quick 20 minute jobby for me, I'll have to dedicate some serious time to figuring it out, since I'm also learning my way around linux as I go. When I do finally get something working, I'll make a point to come back here with my notes! |
EDITED
Quote:
I think I have it working, but one thing has me stumped in this code: Code:
# START OPENVPN RULES If I do an ifconfig on my device, I don't actually see that IP address/range come up anywhere. What does this part of the setup actually do? |
Quote:
The gateway computer kill switch is working fine, using the method at the link you provided. When the VPN is open, the client traffic passes through the VPN no problem. The issue is, when the VPN tunnel drops, even though the gateway loses access, somehow the client still reaches out to the internet (and leaks the IP address). So, the connection sharing that I set up with nm-connection-editor is bypassing the gateway's ufw rules (or, at least, the kill-switch functionality I put in for the VPN). I'm sure there is a simple addition to either iptables or ufw I would need to do to get the kill to propagate to the client, but I'm weary of trying random things for fear of totally breaking it everything. tun0 is my VPN, wlp2s0 is the wifi adapter that connects to the wan, and ens9 is the ethernet adpater that shares with the client (it's a tunderbolt ethernet adapater). I haven't created any rules yet for ens9, but assumed that this set of defaults would be blocking it from doing anything: Code:
sudo ufw default deny incoming Thanks to anybody that can tell me what I'm missing! |
Quote:
|
Solved
Update: I have it working now.
I will post my full solution with code once I have it streamlined a bit more, but I’ll include a synopsis for now. I followed the steps from the link : https://ubuntu-mate.community/t/vpn-...ate-15-04/1452 Those steps amount to: -disabling IPv6 (because of various forms of vpn leakage) -enabling packet forwarding at kernel level -using ufw to build firewall rules that activate a “VPN kill switch” (by making the defaults deny, adding a few allow rules, and adding *nat rules to the before.rules for some local masquerades) That much got a working vpn kill switch functioning on the Gateway computer, but it wasn’t addressing the sharing/masquerade with the client network (which in my case is a DDWRT router wanting its WAN access through the tunnel). A few things were missing for my use case. For starters, I had Network Manager from the start, so both the VPN and the client network (interfaces/devices) had to be set up there. More on this in a second. I also had used nm-connection-editor to build the connection sharing in the first place (this was before wanting to do a vpn kill switch). That ended up being a confusing mistake, since the GUI method evidently built the masquerade directly in iptables rules, and it did it in a way that was bypassing/defeating the *nat before.rules in ufw. I had to reverse all that and go back to the before.rules to add an additional masquerade line in the *nat to actually enable sharing the vpn with the client network (simple enough, but took me forever to figure out, since the instructions at link didn’t address it). That line looks like this: Code:
-A POSTROUTING 192.168.10.0/24 –o tun0 –j MASQUERADE And that’s it in nutshell. (A big-ish nutshell. I am verbose…). I’ll post the full code and ufw rules once I whittle it down to what was necessary. Ther may be one or two ufw rules that were missing from the link to make this work, but I wan’t to try removing a few of the one I added while troubleshooting before I’m sure. As a side note, I opted not to create the VPN and kill switch in the DD-WRT for a few reasons: First, this gateway-VPN method allows secure browsing on the gateway computer, which wasn’t necessary but is a nice perk. The main reason is: the router I’m using for DDWRT is an older Broadcom-based single core dealy. Its maximum throughput with the VPN enabled was about 5 Mbit, which is likely sufficient for most hotel connections, but still a bit of a bummer. And dialing into the router’s web-based GUI to try and troubleshoot things when it goes down is a bit fussier than just doing the Ubuntu stuff on the gateway. |
Solution
Quote:
Made these changes in /etc/sysctl.conf Code:
#disable ipv6 Code:
DEFAULT_FORWARD_POLICY=“ACCEPT” Code:
sudo ufw default deny incoming This much got me a working VPN kill-switch on the gateway device. The last step was masquerading the VPN connection on the secondary interface (in my case, the Ethernet device called ens9). This is where the isntructions at link were leading me astray. Using the IP-space of the VPN client wasn’t actually doing anything for me, and masquerading on the physical interfaces neither. What I ended up doing was masquerading the virtual tun0 interface onto the subnet for my client devices connected by ens9. Like this: Code:
### Start OpenVPN Share rules I expected to need a ufw rule like this: Code:
sudo ufw allow out on ens9 to 192.168.10.0/24 |
All times are GMT -5. The time now is 02:25 PM. |