Hi, all! Thanks for your contribution to help.
@Celyr that actually dosent help
Let me explain. The real router from ISP is in bridge mode because i want my slackware machine to act as a router and give other machines in the lan access to the internet. The ip from the internet is obtained by pppoe-start. Meaning i get ppp0 interface.
Now i currently dont have openvpn server setup nor i want it to have.
I connect to the openvpn server which is in hongkong through the net via
Code:
openvpn --config server.ovpn
it connects and i get tun0 interface.
now ill post you my routing table and then ill further explain.
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
172.29.252.59 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
and heres my iptables.
Code:
#!/bin/bash
#
# firewall-masq This script sets up firewall rules for a machine
# acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.
# LIC: GPL
# Interface to Internet
EXTIF=tun0
# NAT-Tables are different, so we can use ACCEPT everywhere (?)
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# Flush the NAT-Table
iptables -t nat -F
iptables -t filter -P INPUT ACCEPT
iptables -t filter -F
# Allow NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
# Allow incoming SSH
#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 5050 -j ACCEPT
#Allow HTTP/HTTPS
#iptables -t filter -A INPUT -i $EXTIF -m state --state NEW -p tcp --dport 80 -j ACCEPT
#Allow PING
# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Log & Deny the rest of the privileged ports
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:52 -j DROP
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 54:1023 -j DROP
iptables -t filter -A INPUT -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 127.0.0.1 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 127.0.0.1 --dport 53 -j ACCEPT
# Log & Deny NFS
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP
# Log & Deny X11
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP
# Log & Deny XFS
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP
# Deny TCP connection attempts
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP
# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# no IP spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
fi
# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
Now heres the funny part if i do:
Code:
route del default dev ppp0; route add default dev tun0
i immediately(of course) loose internet connection, and because openvpn server is not in my area but i connect through the internet i loose connection to the vpn server.
If i however have default route ppp0 and in iptables,
Code:
# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
EXTIF=ppp0
then from lan computers, dont have access to the internet, but can ping vpn subnet.
If i have default route, ppp0 and in iptables:
Code:
# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
EXTIF=ppp0
then from lan computers i do have access to the internet, and vpn subnet but the ip address visible to the internet is the one from isp and not the one from vpn server.
and all i want is that all computers in the lan including linux server to have openvpn ip instead of the ip assigned from the isp in my scenario when linux server is connected to the openvpn server, and that all traffic is encrypted.
My question is how can i do that? I really want that my slackware acts as a router instead of ISP router.
I hope that my goal is much clearer now
Thanks alot!
EDIT: @Alan Hicks
when connecting to the vpn server via config file i get this error:
Code:
NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
heres an info requested:
1. openvpn config file:
Code:
cat HongKong.ovpn
route-delay 3
fast-io
client
dev tun
nobind
remote switchhk-1.switchkonnect.com 1195 udp
pull
resolv-retry infinite
persist-key
persist-tun
mute-replay-warnings
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
;mute 10
explicit-exit-notify 2
<ca>
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REMOVED
-----END OpenVPN Static key V1-----
</tls-auth>
2. routing table i provided above (was typing and didnt read your post untill i submitted mine)
3. VPN PROVIDER: Switchvpn.com - want to have it used especially for encrypted connection purposes and anonymity.
4. I would like to make a script to have vpn connection up on boot as soon as internet connection is established, so i can disable it later if i want to.
5. No particular services available to the world from my slackware server. (only services that are available to the lan)
6. All computers inside the lan have single nic installed, and all computers including isp router are connected directly to the switch.
7. I want is that all computers in the lan including linux server to have openvpn ip instead of the ip assigned from the isp in my scenario when linux server is connected to the openvpn server, and that all traffic is encrypted.
Meaning that want to tunnel all LAN traffic over the vpn including my linux server.
I dont plan as of right now vpn to vpn connection if you mean that.
If you need any more info, feel free to ask.
Again, thanks to everyone for their contribution to help. Im strugling with this for a few days now.