1

My computer offer a Wifi AP, to share its eth Internet connection. It works painlessly.

I decided to connect my computer to my VPN server (my eth <=> VPN distant server), in order my "WifiAP clients" to surf the Internet after having been tunnelled in my VPN. And it does not work fully.

What does work: My computer can surf the web and ipecho.net/plain renders the distant VPN server IP. Allright. The WifiAP clients can ping the distant VPN server IP.

What does fail: The WifiAP clients cannot ping anything else and absolultly no domain (Impossible to reach 8.8.8.8 GDNS ip... no domain resolving).

Brief, without VPN, Mr Anybody can join the wifi and surf the WWW. With VPN, only my computer can do.

Is ip_forwarding not for tunnelling ?

What is wrong ? How can I fix it ?

____ ROUTE when VPN is on :

Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         10.8.0.77       128.0.0.0       UG    0      0        0 tun0
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.1        10.8.0.77       255.255.255.255 UGH   0      0        0 tun0
10.8.0.77       *               255.255.255.255 UH    0      0        0 tun0
13.37.42.0      *               255.255.255.0   U     0      0        0 wlan0
ns350510.ip-3-1  192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.8.0.77       128.0.0.0       UG    0      0        0 tun0
link-local      *               255.255.0.0     U     1000   0        0 eth0
192.168.0.0     *               255.255.254.0   U     0      0        0 eth0

___ ROUTE when VPN is off

Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
13.37.42.0      *               255.255.255.0   U     0      0        0 wlan0
link-local      *               255.255.0.0     U     1000   0        0 eth0
192.168.0.0     *               255.255.254.0   U     0      0        0 eth0

__ IPtables of the computer (which offers WIFI AP and is linked to VPN server):

 # Generated by iptables-save v1.4.21 
    *mangle
    :PREROUTING ACCEPT [7471:1066114]
    :INPUT ACCEPT [5960:830272]
    :FORWARD ACCEPT [1339:216774]
    :OUTPUT ACCEPT [717:92366]
    :POSTROUTING ACCEPT [2116:318321]
    :internet - [0:0]
    -A PREROUTING -j internet
    -A internet -m mac --mac-source 60:F8:4D:BE:43:AE -j RETURN
    -A internet -j MARK --set-xmark 0x3e7/0xffffffff
    COMMIT
    # Completed 
    # Generated by iptables-save v1.4.21 
    *nat
    :PREROUTING ACCEPT [1710:298954]
    :INPUT ACCEPT [1480:280336]
    :OUTPUT ACCEPT [28:4162]
    :POSTROUTING ACCEPT [86:6162]
    -A PREROUTING -i wlan0 -p tcp -m mark --mark 0x3e7 -m tcp --dport 80 -j DNAT --to-destination 13.37.42.1:80
    -A PREROUTING -i wlan0 -p tcp -m mark --mark 0x3e7 -m tcp --dport 443 -m conntrack --ctstate NEW -j DNAT --to-destination 13.37.42.1:80
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o wlan0 -j MASQUERADE
    COMMIT
    # Completed 
    # Generated by iptables-save v1.4.21 
    *filter
    :INPUT ACCEPT [6041:840617]
    :FORWARD ACCEPT [380:110945]
    :OUTPUT ACCEPT [753:102159]
    -A FORWARD -i wlan0 -j ACCEPT
    COMMIT
    # Completed

____ Server OpenVPN conf

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/logs/openvpn-status.log
log-append /etc/openvpn/logs/openvpn.log
verb 3

___ Client OpenVPN Conf

client
ns-cert-type server
remote www.example.com 1194
#route-nopull
ca ca.crt
cert client_1337.crt
key client_1337.key
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3

___Server Iptables

*filter
    :INPUT ACCEPT [1623:213921]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [911:146048]
    :acctboth - [0:0]
    :cphulk - [0:0]
    -A INPUT -j cphulk 
    -A INPUT -j acctboth 
    -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT 
    -A INPUT -i tun+ -j ACCEPT 
    -A FORWARD -i tun+ -j ACCEPT 
    -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A OUTPUT -j acctboth 
    -A OUTPUT -o tun+ -j ACCEPT 
    -A acctboth -s 3.1.170.110/32 ! -i lo -p tcp -m tcp --dport 80 
    -A acctboth -d 3.1.170.110/32 ! -i lo -p tcp -m tcp --sport 80 
    -A acctboth -s 3.1.170.110/32 ! -i lo -p tcp -m tcp --dport 25 
    -A acctboth -d 3.1.170.110/32 ! -i lo -p tcp -m tcp --sport 25 
    -A acctboth -s 3.1.170.110/32 ! -i lo -p tcp -m tcp --dport 110 
    -A acctboth -d 3.1.170.110/32 ! -i lo -p tcp -m tcp --sport 110 
    -A acctboth -s 3.1.170.110/32 ! -i lo -p icmp 
    -A acctboth -d 3.1.170.110/32 ! -i lo -p icmp 
    -A acctboth -s 3.1.170.110/32 ! -i lo -p tcp 
    -A acctboth -d 3.1.170.110/32 ! -i lo -p tcp 
    -A acctboth -s 3.1.170.110/32 ! -i lo -p udp 
    -A acctboth -d 3.1.170.110/32 ! -i lo -p udp 
    -A acctboth -s 3.1.170.110/32 ! -i lo 
    -A acctboth -d 3.1.170.110/32 ! -i lo 
    -A acctboth -s 10.8.0.1/32 ! -i lo -p tcp -m tcp --dport 80 
    -A acctboth -d 10.8.0.1/32 ! -i lo -p tcp -m tcp --sport 80 
    -A acctboth -s 10.8.0.1/32 ! -i lo -p tcp -m tcp --dport 25 
    -A acctboth -d 10.8.0.1/32 ! -i lo -p tcp -m tcp --sport 25 
    -A acctboth -s 10.8.0.1/32 ! -i lo -p tcp -m tcp --dport 110 
    -A acctboth -d 10.8.0.1/32 ! -i lo -p tcp -m tcp --sport 110 
    -A acctboth -s 10.8.0.1/32 ! -i lo -p icmp 
    -A acctboth -d 10.8.0.1/32 ! -i lo -p icmp 
    -A acctboth -s 10.8.0.1/32 ! -i lo -p tcp 
    -A acctboth -d 10.8.0.1/32 ! -i lo -p tcp 
    -A acctboth -s 10.8.0.1/32 ! -i lo -p udp 
    -A acctboth -d 10.8.0.1/32 ! -i lo -p udp
ArchiT3K
  • 577

2 Answers2

2

What the issue is

So what you want is for the network address transfer to work (NAT). I don't pretend to be an iptables expert, but I can see based on this part of your iptables-save:

*nat
:PREROUTING ACCEPT [1710:298954]
:INPUT ACCEPT [1480:280336]
:OUTPUT ACCEPT [28:4162]
:POSTROUTING ACCEPT [86:6162]
-A PREROUTING -i wlan0 -p tcp -m mark --mark 0x3e7 -m tcp --dport 80 -j DNAT --to-destination 13.37.42.1:80
-A PREROUTING -i wlan0 -p tcp -m mark --mark 0x3e7 -m tcp --dport 443 -m conntrack --ctstate NEW -j DNAT --to-destination 13.37.42.1:80
-A POSTROUTING -o eth0 -j MASQUERADE #####this line
-A POSTROUTING -o wlan0 -j MASQUERADE

... and this part:

*filter
:INPUT ACCEPT [6041:840617]
:FORWARD ACCEPT [380:110945]
:OUTPUT ACCEPT [753:102159]
-A FORWARD -i wlan0 -j ACCEPT  #####this line
COMMIT

... that you seem to be forwarding things coming in on wlan0, which are allowed to MASQUERADE on eth0. However, your routing table will direct all general traffic through your tun0 interface, because one of the two lines with GENMASK 128.0.0.0 will always match before the default destination on eth0 with GENMASK 0.0.0.0. That means that you are forwarding incoming wlan0 packets to eth0, but your general traffic goes through the interface tun0. You want to forward wlan0 packets to tun0.

Possible solution

You might be able to fix this, without changing any of your existing iptables (again, I'm not an iptables expert, and your iptables is much more complicated than mine) by running:

sudo iptables --table nat --append POSTROUTING --out-interface tun0 -j MASQUERADE

How I do NAT

I wrote this short script to set up NAT on my computers, because I can never remember the commands. So in the absence of the rest of your iptables, you could just run nat tun0 wlan0 to pass the internet connection on tun0 to wlan0.

#!/bin/bash
# I named this script "nat"
if [ $# -lt 2 ]
        then
        echo usage: nat \<internet connection iface\> \<recieving iface\>
        exit 0
fi

internetiface=$1;
receivingiface=$2;

sudo iptables --table nat --append POSTROUTING --out-interface $internetiface -j MASQUERADE
sudo iptables --append FORWARD --in-interface $receivingiface -j ACCEPT


echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
rexroni
  • 1,508
0

There is nothing wrong with your configuration of the VPN and of the firewall rules. What you are missing is the fact that you have only one gateway, 192.168.0.1, and that's only reachable via eth0, and of course it is not reachable via wlan0, just check your routing table.

This behaviour is normal: in all OSes there can only be one interface linked to the gateway, because the kernel must know unequivocally how to route packets.

In all OSes... except Linux, where you can add a second (and a third, a fourth...) routing table, provided you also add rules which tell the kernel when to use each of the routing tables unequivocally. This is what you need to do: set up a second routing table, then add a rule which says that all packets coming from the tun0 subnet must be routed via this second routing table.

This is called policy routing. You do it as follows: choose a name for the new table, then 

     echo 200 <NAME1> >> /etc/iproute2/rt_tables
     ip route add <NET1> dev <DEV1> src <SRC1> table <NAME1>

(here DEV1 is wlan0, NET1 and SRC1 are the network and IP address wlan0 already has), 

     ip route add default via <IP1> table <NAME1>

(IP1 is your lan's gateway), and lastly

     ip rule add from <IP1> table <NAME1>

Here IP1 is the subnet of the interface tun0.

This is all.

MariusMatutiae
  • 4,372
  • 1
  • 25
  • 36