iptables specific eth routing via tun
hi guys!
I was searching few days for a solution to my problem but haven't found one or I'm too dumb to understand. Here's what happened: I have a linux server used as a router. It has an eth0 and eth1 (local interface). I just installed openvpn (I need it only as a client), I configured it and run it. It connects very good the the vpn server but I don't know how to configure iptables so I can connect via tun only from an ip from the local network and all the others to connect normally to my external interface (eth0). I have tried the following command: Quote:
when I put -s 192.168.1.12 (my local ip), also works fine but all the other computers from the network dont have internet access. let's say my server external ip is A.A.A.A, my local server ip is B.B.B.B and my tun ip is C.C.C.C how can I create a rule in order to make all ips (except one) to connect thru real ip A.A.A.A to the internet and my ip to connect thru tun ip C.C.C.C ? I don't seem to find an answer to that or as I said already I'm too dumb. Any help would be appreciated. Thanks guys. |
c'mon guys ... nobody??
|
So, as I understood, the masquerading doesn't work with the outgoing TUN interface, am I right?
I think you should follow these instructions: http://openvpn.net/index.php/open-so....html#redirect Seems really strange. But I think it's the only way to do this, when using OpenVPN. I haven't had such a configuration but I'm interested in it. |
I have dhcp enabled on server and only on my computer there is a static ip which I wanna forward through vpn, all the others should connect directly to eth0 and ignore the tun ip. with the quoted command I managed to do that except that all the others just dont connect to the internet. and one more thing ... when I establish the vpn connection also cannot connect outside from the server console. tried mtr, ping, traceroute and so on. I guess I have to change some route & iptables rules but I dont have any idea which and how
|
Quote:
Quote:
The rule for the users must be like yours one. Just change the -o tun0 to -o eth0 (your external interface). And one more tip. If your tun0 and eth0 have static IP addresses, it's better to use SNAT, not MASQUERADE. Just compare: Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Code:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <router's_external_ip_address> |
#### BEFORE ####
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface AA.AA.AA.0 * 255.255.255.128 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default blabla.xxx 0.0.0.0 UG 0 0 0 eth0 #### WITH VPN #### Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.10.0.17 * 255.255.255.255 UH 0 0 0 tun0 CC.CC.CC.CC AA.AA.AA.1 255.255.255.255 UGH 0 0 0 eth0 AA.AA.AA.0 * 255.255.255.128 U 0 0 0 eth0 10.10.0.0 10.10.0.17 255.255.255.0 UG 0 0 0 tun0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 10.10.0.17 128.0.0.0 UG 0 0 0 tun0 128.0.0.0 10.10.0.17 128.0.0.0 UG 0 0 0 tun0 default AA.AA.AA.1 0.0.0.0 UG 0 0 0 eth0 where AA.AA.AA is my external ip class and CC.CC.CC my vpn external ip class. |
You have 2 default routes when VPN is active. But you must have only one default route.
man route will help you to manage routes. |
All times are GMT -5. The time now is 02:31 AM. |