LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Tunnel all traffic from specific nic through vpn (https://www.linuxquestions.org/questions/linux-networking-3/tunnel-all-traffic-from-specific-nic-through-vpn-4175592811/)

blablax 11-03-2016 11:07 AM

Tunnel all traffic from specific nic through vpn
 
Hi,

What am trying to do is, to make my vpn life simple:
For my normal internet traffic i will use my default SOHO router(192.168.1.1). This gateway is set in DHCP.

But i was thinking, for my vpn traffic, i insert an extra nic(ens38) in my ubuntu machine.
Get openvpn to work (tun0), and tunnel all my vpn traffic from nic ens38 through my paid vpn service(tun0).

My normal traffic on this ubuntu machine still goes through my default gateway nic ens33 to my SOHO router.

I'm using iptables to forward all traffic.
The internet traffic from my window machine is correctly routed through my ubuntu machine, but ubuntu does not route it
through the vpn tunnel, but the default Gateway...

Where does it go wrong?


root@XXXXXX:~# ifconfig
ens33 Link encap:Ethernet HWaddr 00:00:00:00:00:8c
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4786 errors:0 dropped:7 overruns:0 frame:0
TX packets:313799 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:572213 (572.2 KB) TX bytes:24324000 (24.3 MB)

ens38 Link encap:Ethernet HWaddr 00:00:00:00:00:96
inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:317828 errors:0 dropped:7 overruns:0 frame:0
TX packets:620 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23919414 (23.9 MB) TX bytes:96034 (96.0 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1200 (1.2 KB) TX bytes:1200 (1.2 KB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.37 P-t-P:10.0.0.37 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)



root@XXXXXX:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 ens33
10.163.21.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens38
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o ens38 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ens38 -o tun0 -j ACCEPT

root@XXXXXX:~# iptables -L -v
Chain INPUT (policy ACCEPT 2275 packets, 263K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 95634 packets, 5290K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 ens38 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- ens38 tun0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 338 packets, 41592 bytes)
pkts bytes target prot opt in out source destination




Tracert from windows machine with 192.168.1.13 as gateway address set:

tracert -d google.com

Tracing route to google.com [172.217.17.46]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.13
2 <1 ms <1 ms <1 ms 192.168.1.1
3 9 ms 6 ms 7 ms 10.xx.xx.129
4 12 ms 7 ms 11 ms 212.xx.xx.133
5 * * * Request timed out.
6 9 ms 20 ms 28 ms 84.116.130.242
7 8 ms 17 ms 14 ms 74.125.51.52
8 8 ms 8 ms 7 ms 108.170.241.225
9 97 ms 95 ms 46 ms 108.170.236.137
10 9 ms 9 ms 8 ms 172.217.17.46

dijetlo 11-04-2016 09:41 AM

Ens038 is redundant, you can set tun0s default route to your VM environment and your packets will route over the tun based on the kernel routing table.
Quote:

10.163.21.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
It looks like that might already be set up. Is your VM environment 10.163.21.0 ?
If you want to do all your internet traffic over your VPN connection, make your default route the vm subnet and put your internet default route on your remote vm. That way, traffic without a local address is routed encrypted and piped into the VPN endpoint.

blablax 11-18-2016 01:09 AM

Hi, thank you for your response.

Wouldn't that redirect all traffic through the tunnel?
Local and internet traffic will always go through the vpn. Not just the devices using the extra nic as a gateway.
I don't want my ubuntu's internet traffic to go through the tunnel.

my local environment is 192.168.x.x, the 10.163.x.x is openvpn.

blablax 12-06-2016 06:36 AM

Anyone?

sundialsvcs 12-06-2016 08:45 AM

You do not need "an extra NIC." Not unless there's an extra physical wire that you haven't yet talked about.

If you are, as I presume from what you've written here, running an OpenVPN client directly on your machine, then there is a tunX virtual device on the machine (when you are connected), and route commands within the OpenVPN client configuration file can direct any desired IP-address range into that device as its gateway.

Of course, the encrypted traffic from the OpenVPN client can be redirected through another physical network interface card if you so desire, in the same way that any sort of Internet traffic can be so routed, but there is no particular advantage in doing so.


All times are GMT -5. The time now is 11:54 PM.