Routing traffic over p2p1 and tun0 correctly
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have been trawling these questions and trying many different solutions to get this working, but I seem to have a problem with getting my routing set up correctly. I have a box installed in a network with no Internet access with the exception of OpenVPN to my server. Everything else is blocked leaving the LAN segment the box is on.
The box opens a connection to my VPN server, so now I have p2p1 and tun0. The setup for /etc/network/interfaces is:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.56.211
netmask 255.255.255.0
gateway 192.168.56.251
dns-nameservers 192.168.100.20 192.168.50.35
The OpenVPN connection comes up and connects as you would expect, allowing me to SSH into the box via the VPN from outside the LAN. The issue is that all outgoing data is trying to use the local gateway. I haven't been able to get any routing configuration so far to pass the following:
- Local LAN via 192.168.56.251
- Secondary LAN (192.168.50.x) via 192.168.56.251
- VPN Server via 192.168.56.251
- Internet via tun0 (OpenVPN interface)
I've tried using
up route add -net 1.2.3.4/32 gw 10.8.4.9
to configure at least one server to get a connection via the VPN, but still no joy. It's like nothing is routing correctly. At the very minimum I at least need to get apt-get working via the VPN and then getting my webserver to go via it as well. I an cope with it being limited like that, but ideally I just want to fix it so the routes are correct!
networking server openvpn routing
add a comment |
I have been trawling these questions and trying many different solutions to get this working, but I seem to have a problem with getting my routing set up correctly. I have a box installed in a network with no Internet access with the exception of OpenVPN to my server. Everything else is blocked leaving the LAN segment the box is on.
The box opens a connection to my VPN server, so now I have p2p1 and tun0. The setup for /etc/network/interfaces is:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.56.211
netmask 255.255.255.0
gateway 192.168.56.251
dns-nameservers 192.168.100.20 192.168.50.35
The OpenVPN connection comes up and connects as you would expect, allowing me to SSH into the box via the VPN from outside the LAN. The issue is that all outgoing data is trying to use the local gateway. I haven't been able to get any routing configuration so far to pass the following:
- Local LAN via 192.168.56.251
- Secondary LAN (192.168.50.x) via 192.168.56.251
- VPN Server via 192.168.56.251
- Internet via tun0 (OpenVPN interface)
I've tried using
up route add -net 1.2.3.4/32 gw 10.8.4.9
to configure at least one server to get a connection via the VPN, but still no joy. It's like nothing is routing correctly. At the very minimum I at least need to get apt-get working via the VPN and then getting my webserver to go via it as well. I an cope with it being limited like that, but ideally I just want to fix it so the routes are correct!
networking server openvpn routing
add a comment |
I have been trawling these questions and trying many different solutions to get this working, but I seem to have a problem with getting my routing set up correctly. I have a box installed in a network with no Internet access with the exception of OpenVPN to my server. Everything else is blocked leaving the LAN segment the box is on.
The box opens a connection to my VPN server, so now I have p2p1 and tun0. The setup for /etc/network/interfaces is:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.56.211
netmask 255.255.255.0
gateway 192.168.56.251
dns-nameservers 192.168.100.20 192.168.50.35
The OpenVPN connection comes up and connects as you would expect, allowing me to SSH into the box via the VPN from outside the LAN. The issue is that all outgoing data is trying to use the local gateway. I haven't been able to get any routing configuration so far to pass the following:
- Local LAN via 192.168.56.251
- Secondary LAN (192.168.50.x) via 192.168.56.251
- VPN Server via 192.168.56.251
- Internet via tun0 (OpenVPN interface)
I've tried using
up route add -net 1.2.3.4/32 gw 10.8.4.9
to configure at least one server to get a connection via the VPN, but still no joy. It's like nothing is routing correctly. At the very minimum I at least need to get apt-get working via the VPN and then getting my webserver to go via it as well. I an cope with it being limited like that, but ideally I just want to fix it so the routes are correct!
networking server openvpn routing
I have been trawling these questions and trying many different solutions to get this working, but I seem to have a problem with getting my routing set up correctly. I have a box installed in a network with no Internet access with the exception of OpenVPN to my server. Everything else is blocked leaving the LAN segment the box is on.
The box opens a connection to my VPN server, so now I have p2p1 and tun0. The setup for /etc/network/interfaces is:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.56.211
netmask 255.255.255.0
gateway 192.168.56.251
dns-nameservers 192.168.100.20 192.168.50.35
The OpenVPN connection comes up and connects as you would expect, allowing me to SSH into the box via the VPN from outside the LAN. The issue is that all outgoing data is trying to use the local gateway. I haven't been able to get any routing configuration so far to pass the following:
- Local LAN via 192.168.56.251
- Secondary LAN (192.168.50.x) via 192.168.56.251
- VPN Server via 192.168.56.251
- Internet via tun0 (OpenVPN interface)
I've tried using
up route add -net 1.2.3.4/32 gw 10.8.4.9
to configure at least one server to get a connection via the VPN, but still no joy. It's like nothing is routing correctly. At the very minimum I at least need to get apt-get working via the VPN and then getting my webserver to go via it as well. I an cope with it being limited like that, but ideally I just want to fix it so the routes are correct!
networking server openvpn routing
networking server openvpn routing
asked Jul 2 '15 at 10:23
teknetiateknetia
62
62
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
In my case, eth1
is the device I want to be an available gateway on my LAN, and ppp0
is the name of my VPN connection when it's active on that machine (connects via eth0
but for deadswitch security we won't name it in the routing).
Setup your IPtables for NAT from the LAN to the VPN-connected gateway:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
Remember to save your iptables and activate IP forwarding.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f643519%2frouting-traffic-over-p2p1-and-tun0-correctly%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
In my case, eth1
is the device I want to be an available gateway on my LAN, and ppp0
is the name of my VPN connection when it's active on that machine (connects via eth0
but for deadswitch security we won't name it in the routing).
Setup your IPtables for NAT from the LAN to the VPN-connected gateway:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
Remember to save your iptables and activate IP forwarding.
add a comment |
In my case, eth1
is the device I want to be an available gateway on my LAN, and ppp0
is the name of my VPN connection when it's active on that machine (connects via eth0
but for deadswitch security we won't name it in the routing).
Setup your IPtables for NAT from the LAN to the VPN-connected gateway:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
Remember to save your iptables and activate IP forwarding.
add a comment |
In my case, eth1
is the device I want to be an available gateway on my LAN, and ppp0
is the name of my VPN connection when it's active on that machine (connects via eth0
but for deadswitch security we won't name it in the routing).
Setup your IPtables for NAT from the LAN to the VPN-connected gateway:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
Remember to save your iptables and activate IP forwarding.
In my case, eth1
is the device I want to be an available gateway on my LAN, and ppp0
is the name of my VPN connection when it's active on that machine (connects via eth0
but for deadswitch security we won't name it in the routing).
Setup your IPtables for NAT from the LAN to the VPN-connected gateway:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
Remember to save your iptables and activate IP forwarding.
answered Apr 1 at 21:21
Charney KayeCharney Kaye
392413
392413
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f643519%2frouting-traffic-over-p2p1-and-tun0-correctly%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown