LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-03-2016, 11:07 AM   #1
blablax
LQ Newbie
 
Registered: Nov 2016
Posts: 3

Rep: Reputation: Disabled
Tunnel all traffic from specific nic through vpn


Hi,

What am trying to do is, to make my vpn life simple:
For my normal internet traffic i will use my default SOHO router(192.168.1.1). This gateway is set in DHCP.

But i was thinking, for my vpn traffic, i insert an extra nic(ens38) in my ubuntu machine.
Get openvpn to work (tun0), and tunnel all my vpn traffic from nic ens38 through my paid vpn service(tun0).

My normal traffic on this ubuntu machine still goes through my default gateway nic ens33 to my SOHO router.

I'm using iptables to forward all traffic.
The internet traffic from my window machine is correctly routed through my ubuntu machine, but ubuntu does not route it
through the vpn tunnel, but the default Gateway...

Where does it go wrong?


root@XXXXXX:~# ifconfig
ens33 Link encap:Ethernet HWaddr 00:00:00:00:00:8c
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4786 errors:0 dropped:7 overruns:0 frame:0
TX packets:313799 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:572213 (572.2 KB) TX bytes:24324000 (24.3 MB)

ens38 Link encap:Ethernet HWaddr 00:00:00:00:00:96
inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:317828 errors:0 dropped:7 overruns:0 frame:0
TX packets:620 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23919414 (23.9 MB) TX bytes:96034 (96.0 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1200 (1.2 KB) TX bytes:1200 (1.2 KB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.37 P-t-P:10.0.0.37 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)



root@XXXXXX:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 ens33
10.163.21.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens38
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o ens38 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ens38 -o tun0 -j ACCEPT

root@XXXXXX:~# iptables -L -v
Chain INPUT (policy ACCEPT 2275 packets, 263K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 95634 packets, 5290K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 ens38 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- ens38 tun0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 338 packets, 41592 bytes)
pkts bytes target prot opt in out source destination




Tracert from windows machine with 192.168.1.13 as gateway address set:

tracert -d google.com

Tracing route to google.com [172.217.17.46]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.13
2 <1 ms <1 ms <1 ms 192.168.1.1
3 9 ms 6 ms 7 ms 10.xx.xx.129
4 12 ms 7 ms 11 ms 212.xx.xx.133
5 * * * Request timed out.
6 9 ms 20 ms 28 ms 84.116.130.242
7 8 ms 17 ms 14 ms 74.125.51.52
8 8 ms 8 ms 7 ms 108.170.241.225
9 97 ms 95 ms 46 ms 108.170.236.137
10 9 ms 9 ms 8 ms 172.217.17.46

Last edited by blablax; 11-03-2016 at 02:38 PM.
 
Old 11-04-2016, 09:41 AM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Ens038 is redundant, you can set tun0s default route to your VM environment and your packets will route over the tun based on the kernel routing table.
Quote:
10.163.21.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
It looks like that might already be set up. Is your VM environment 10.163.21.0 ?
If you want to do all your internet traffic over your VPN connection, make your default route the vm subnet and put your internet default route on your remote vm. That way, traffic without a local address is routed encrypted and piped into the VPN endpoint.
 
Old 11-18-2016, 01:09 AM   #3
blablax
LQ Newbie
 
Registered: Nov 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hi, thank you for your response.

Wouldn't that redirect all traffic through the tunnel?
Local and internet traffic will always go through the vpn. Not just the devices using the extra nic as a gateway.
I don't want my ubuntu's internet traffic to go through the tunnel.

my local environment is 192.168.x.x, the 10.163.x.x is openvpn.
 
Old 12-06-2016, 06:36 AM   #4
blablax
LQ Newbie
 
Registered: Nov 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Anyone?
 
Old 12-06-2016, 08:45 AM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,291
Blog Entries: 4

Rep: Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318
You do not need "an extra NIC." Not unless there's an extra physical wire that you haven't yet talked about.

If you are, as I presume from what you've written here, running an OpenVPN client directly on your machine, then there is a tunX virtual device on the machine (when you are connected), and route commands within the OpenVPN client configuration file can direct any desired IP-address range into that device as its gateway.

Of course, the encrypted traffic from the OpenVPN client can be redirected through another physical network interface card if you so desire, in the same way that any sort of Internet traffic can be so routed, but there is no particular advantage in doing so.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
route http and ssh traffic normally, everything else via vpn tunnel normadize Linux - Networking 0 10-20-2013 05:44 PM
How to use VPN tunnel for all traffic except SMTP (port 25) traffic? maven12 Linux - Networking 2 11-09-2010 06:00 AM
OpenVPN Tunnel all Traffic trough VPN bdegier Linux - Networking 1 02-25-2009 04:55 PM
OpenVPN route issues, all traffic through VPN tunnel stuartornum Linux - Server 4 03-05-2007 03:07 AM
Can I Route Specific Addresses Through an IPSec VPN Tunnel? strick1226 Linux - Networking 3 12-15-2005 08:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration