Score:0

Route traffic from tun0 to eth0 on certain ports

us flag

I'm having quite a headache on this one. It used to work but I just realized it does not work anymore. Possibly because after some update.

I have OpenVPN running with this config:

client
dev tun
proto udp
remote 45.152.181.35 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

script-security 2
up /etc/openvpn/update-resolv-conf
up-restart
down /etc/openvpn/update-resolv-conf
down-pre

dhcp-option DNSSEC allow-downgrade

remote-cert-tls server
dhcp-option DNS 10.0.0.50
dhcp-option DNS 10.0.0.51
route 10.0.0.50 255.255.255.255 net_gateway
route 10.0.0.51 255.255.255.255 net_gateway

verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
...

I have it up and running on tun0. By default, all my traffic is redirected to this interface, no problem.

I want some ports, 80 and 443 in particular, to be redirected to eth0 in order to use my regular public IP.

I used to get it done running this script:

ip rule add sport 80 table 128
ip rule add sport 443 table 128

ip route add table 128 to 10.0.0.0/24 dev eth0
ip route add table 128 default via 10.0.0.1

So it used to work like a charm, but now, for some reason, it does not work anymore.

ifconfig looks like this:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.50  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::dea6:32ff:feec:aff6  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::eb4d:9953:dab1:619f  prefixlen 64  scopeid 0x20<link>
        ether dc:a6:32:ec:af:f6  txqueuelen 1000  (Ethernet)
        RX packets 50096  bytes 34011045 (34.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 49083  bytes 24696341 (24.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 7445  bytes 1912768 (1.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7445  bytes 1912768 (1.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.1.9  netmask 255.255.255.0  destination 10.8.1.9
        inet6 fe80::bddd:593b:241f:491f  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 32682  bytes 25077475 (25.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26904  bytes 4130127 (4.1 MB)

To be clear, a command like curl -s https://checkip.amazonaws.com used to output my real public IP, now it outputs my VPN public IP.

I'm getting dizzy Googling this, tried a lot of things without success but as it used to work I'm suspecting something stupid I must be missing.

Any suggestion would be greatly appreciated.

A.B avatar
cl flag
A.B
What would be the results of `sysctl -ar \\.rp_filter`?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.