Routing traffic on ethernet switch through VPN (Ubuntu 20.04)
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I also have a VPN tunnel open on the PC using OpenConnect (iface: `tun0`).
Now I want traffic to/from `myDevice` to use the VPN tunnel. I tried to configure a second routing table that will route `eth1` traffic through `tun0` but the forwarding through `tun0` doesn't seem to work. The device still receives traffic through my regular LAN. I'm currently trying to mark all traffic through `eth1` and configure all marked traffic to use the second routing table that has one default route through the VPN. Is there a simpler way to accomplish this? Is there anything obviously wrong with my setup? What I don't understand is why no traffic matches the FORWARD iptables rules.
For reference, this post describes pretty much the same desired setup, but there are no accepted answers on that one.
Chain INPUT (policy ACCEPT 26559 packets, 24M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 16263 packets, 2949K bytes)
pkts bytes target prot opt in out source destination
sudo iptables -L -n -v -t nat:
Code:
Chain PREROUTING (policy ACCEPT 29 packets, 9835 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 29 packets, 9835 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1096 packets, 263K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1096 packets, 263K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * tun0 192.168.246.0/24 0.0.0.0/0
sudo iptables -L -n -v -t mangle:
Code:
Chain PREROUTING (policy ACCEPT 26564 packets, 24M bytes)
pkts bytes target prot opt in out source destination
100 22840 MARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x2
Chain INPUT (policy ACCEPT 26560 packets, 24M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16263 packets, 2949K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 16293 packets, 2950K bytes)
pkts bytes target prot opt in out source destination
ip route show:
Code:
default via 192.168.1.1 dev eth0 proto dhcp metric 101
169.254.0.0/16 dev eth0 scope link metric 1000
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.155 metric 101
192.168.246.0/24 dev eth1 proto kernel scope link src 192.168.246.229 metric 102
second routing table:
Code:
default dev tun0 scope link
Note: this is a x-post from ServerFault so if that's against forum rules I'm happy to delete this or that post.
Last edited by __mib137__; 06-27-2021 at 01:46 PM.
I have done this two ways:
1. using a VPN definition on the router itself to route traffic to/from my workstation through the VPN.
2. Configuring a VPN concentrater on an old machine (a RPi might work for this) and use it as my router for that traffic.
When I did this I have VPN information used for SITE-TO-SITE and NODE-TO SITE VPN networking to a workplace and customer site. I was doing networking every day, and maintained a few hundred VPN connections for that company. I often set up VPN concentrators on available hardware at the client site to secure the connection, so was used to setting such things up on a daily basis. I had all of the networking information I could ever need.
With the information at hand, and a little research, it was easy.
If you are talking about a commercial VPN services, you might have some hoops to jump through.
I have done this two ways:
1. using a VPN definition on the router itself to route traffic to/from my workstation through the VPN.
2. Configuring a VPN concentrater on an old machine (a RPi might work for this) and use it as my router for that traffic.
Unfortunately I don't have an old machine/RPi available or want to change anything on the router. Any clue as to what might be wrong with my plan/configuration?
Am I correct that you already have a VPN set up and connected. Have you installed a copy of VNPC-SCRIPT? This is what openconnect uses to update the routing and dns settings.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.