Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm have a little ALIX box at home running voyagelinux that uses vpnc to establish a vpn connection to my employer's network. I use this as a vpn gateway, if you will, for an IP phone to connect to a phone server at work. It looks something like this:
employer
+
internet
+
cable modem
+
router (pfsense)
(192.168.1.1)
+
(192.168.1.99)
vpn gateway
(192.168.0.1)
+
(192.168.0.2)
ip phone (nortel)
The IP phone is the only device behind the vpn gateway. I want everything coming in on the vpn tunnel to be forwarded to the phone, and everything coming from the phone routed through the tunnel, so I have vpnc run the following script when the vpn connection is established:
Code:
#!/bin/sh
PHONE="192.168.0.2"
echo 1 > /proc/sys/net/ipv4/ip_forward
# vpnc makes the necessary routing change, so no need to do it here
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
# IFNAME is the vpn tunnel device (usually tun0)
/sbin/iptables --table nat --append POSTROUTING \
--out-interface ${IFNAME} --jump MASQUERADE
/sbin/iptables --table nat \
--insert PREROUTING \
--in-interface ${IFNAME} \
--jump DNAT \
--to ${PHONE}
This setup works most of the time, but occasionally I'll lose audio from the other end of the call. They can still hear me, however, which leads me to believe that I'm doing something wrong or missed something above. I want the phone to function as if it's directly on my employer's network, with as little nat as possible. How do I do that the right way?
If I have a tunnel tun0, what's the simplest/best way to have all traffic coming in over tun0 forwarded to $IP and all traffic from $IP routed to tun0?
Are you trying to "route" all packets to another router? Or trying to forward specific connections to specific ports? If all you want to do is reach a specific server, forwarding connections to its port is all you need to do. Or do you also want this so you can access the internet as coming from the employer network?
Thanks for the reply. I want the phone to behave as if it's directly on my employer's network, or as close to that as I can get. My vpn gateway establishes the connection to my employer, creating tun0. I then want all data coming in on tun0 to go to the phone, and all data going out from the phone to go to tun0. The phone is the only device behind my vpn gateway.
This is what I've settled on thus far, and it works for the most part:
The default rules on INPUT, OUTPUT, and FORWARD are ACCEPT (this gateway not directly exposed to internet). Does this look about right? Should I be using SNAT instead of MASQUERADE? If I did use SNAT, would I use the IP address assigned to tun0, or some other IP address?
I'm going to have to back out of this because I don't know enough about the protocol involved to understand what it is doing. But it may just be a stalled tunnel.
Can a tunnel stall in just one direction? Anyway, I'm now using SNAT to the tunnel IP address on the POSTROUTING rule, instead of MASQUERADE. It's been working fine for the past 5 hours, but I won't know for a day or three if it's a long-term fix.
So that others attempting to do the same may benefit, here's what I ended up with. It works very well, and if while on a call the connection is dropped and then restored (I have a watchdog script check every few seconds), the call automagically resumes.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.