3

I have access to my university's VPN through OpenVPN, and would like to extend it to all the devices at home. I have cable internet, a DD-WRT router, a bunch of clients (mostly Windows), and a RHEL-derivative, two-NIC, always-on PC. Right now, the Linux router intermediates the traffic, with a setup is modem <-> RHEL-like router <-> DD-WRT device <-> clients. Usually, the traffic is masqueraded directly, but the Linux router automatically connects to uni's VPN, and for a bunch of journals, a script sets up VPN-intermediated traffic: ip route add table main 123.45.67.89 dev tun0.

I'd like to replace the RHEL computer with a single-NIC computer. The setup I am thinking about is modem <-> DD-WRT device <-> {clients, new RHEL router}. RHEL router will connect to the internet via the DD-WRT device. It will also connect to VPN. When the other clients want access to the internet, DD-WRT should route them through RHEL, which in turn will decide to route directly or, if a connection to 123.45.67.89 is desired, through tun0.

Is that possible? How would you do it?

slm
  • 369,824
nvja
  • 31
  • Does your modem have two ethernet ports? If it does, it is possible with even a slight improvement. – MariusMatutiae Dec 24 '14 at 19:38
  • Nah, it's a plain DOCSIS 3 modem. The hope was that DD-WRT and RHEL devices can create some sort of eth1:1. Then, DD-WRT would get to the modem through eth0, route all internet traffic to the eth1 which will then talk to RHEL's eth1. RHEL would fiddle with packets, and re-send local traffic through eth1:1 to DD-WRT's eth1:1. Finally, these fiddled packages are sent by DD-WRT to the other computers, using the other physical adapters. I am not sure if this is possible though. – nvja Dec 25 '14 at 03:05

1 Answers1

0

You have to put your DD-WRT-router and all your client machines into different subnets so they don't talk directly, but only through RHEL-router. For that you have to assign 2 ip-addresses from different subnets to the same NIC of the RHEL-router.

I built my lab to test the configuration on CentOS 7 machines. I also kept NetworkManager away (NM_CONTROLLED=no in all ifcfg files).

  1. On RHEL-router add another address to the same NIC by copying current NIC configuration and changing DEVICE and IP directives:

    cd /etc/sysconfig/network-scripts/
cp ifcfg-eth0 ifcfg-eth0:1
vim ifcfg-eth0:1

##### After editing mine ifcfg-eth0:1 looks like this:
DEVICE=eth0:1
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=10.0.0.10
PREFIX=24

  2. Set up routes on RHEL-router to send traffic through vpn tunnel if connection goes to your university subnet, and default connection through DD-WRT-router otherwise, e.g.:

    route add default via $dd-wrt-ip-address dev eth0
route add $univ-subnet-ip dev tun0

  3. Enable ip-masquerading on RHEL-router. On my machine I used firewalld for that

    firewall-cmd --add-rich-rule 'rule family=ipv4 masquerade'

  4. Put your home client machines on 10.0.0.0/24 subnet and have them use 10.0.0.10 (RHEL-router) as default gateway.

golem
  • 2,288
  • All is fine, but what you posted is precisely my RHEL configuration, with eth0:1 replacing eth1. I am still in need for the DD-WRT settings which are robust enough, to ignore clients trying to bypass the intermediate computer. I recall Windows computers will ignore any net mask. In fact, I am still looking for confirmation that DD-WRT will be useful in this scenario. – nvja Dec 27 '14 at 08:56
  • I think the key is putting your client machines in one subnet, and putting your DD-WRT router in another, with RHEL-router being present in both as a middleman. I brought in the virtual interface configuration because you said you'd like to replace the two-NIC RHEL computer with a single-NIC. The virtual interface is there for RHEL-router to be able to handle 2nd subnet. In such setup nothing depends on DD-WRT router at all. It's just doing it's job by switching data-link frames of local traffic in client-machines subnet, and routing out the IP traffic from the RHEL machine. – golem Dec 27 '14 at 13:50