Join Log in
Score:0
avatar Server

Redirect traffic from an interface to a VPN tun interface with iptables

ge flag
Mazzy

I'm trying to achieve something easy but apparently I'm missing something.

In my box I have a VPN client running which created a tun0 interface. The box has external traffic coming from the eth0.

I would like to forward the traffic from eth0 to tun0. I run the following commands:

iptables -A FORWARD -i eth0 -o tun0 -s 192.168.100.0/28 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -o tun0 -j MASQUERADE

Note that I select the source IPs range because I want to forward only certain range.

Running tcpdump on the eth0 interface I can see the traffic coming in from a machine in the range 192.168.100.0/28 but I can't see traffic going into tun0.

IP forwarding is naturally on.

I'm not sure what I'm really missing here.

IP configuration of eth0 is 192.168.10.93/24 while tun0 is 10.8.8.15/24

➜  ~ ip r
default via 192.168.10.1 dev eth0  metric 100
10.8.8.0/24 dev tun0 scope link  src 10.8.8.15
172.17.0.0/16 dev docker0 scope link  src 172.17.0.1
172.30.32.0/23 dev hassio scope link  src 172.30.32.1
192.168.10.0/24 dev eth0 scope link  src 192.168.10.93  metric 100
1206
2 + 12
ge flag
Mazzy
The traffic that get into the box does not have destination `192.168.100.0/28` but it has source `192.168.100.0/28`. the destination is the Internet.
1
Reply
ge flag
Mazzy
IP configuration of `eth0` is `192.168.10.93/24` while `tun0` is `10.8.8.15/24`.
0
Reply
ge flag
Mazzy
`➜ ~ ip r default via 192.168.10.1 dev eth0 metric 100 10.8.8.0/24 dev tun0 scope link src 10.8.8.15 172.17.0.0/16 dev docker0 scope link src 172.17.0.1 172.30.32.0/23 dev hassio scope link src 172.30.32.1 192.168.10.0/24 dev eth0 scope link src 192.168.10.93 metric 100 `
0
Reply
ge flag
Mazzy
sure. added the required changes
0
Reply
ge flag
Mazzy
the destination of the traffic is the Internet generic external IPs. basically a machine generates Internet traffic that is forwarded to the `eth0` interface of this box and from `eth0` must be forwarded to `tun0` and then finally to the Internet. the most important thing is that the traffic leaves from `tun0` because it's a VPN.
0
Reply
in flag
NiKiZe
You talk about forwarding from `eth0` (internet) to `tun0` I can not figure out what you actually want to go where. Can you maybe give a better example of a packet that does not work. A packet that should reach the internet should be forwarded to `eth0` since that is your internet.
0
Reply
ge flag
Mazzy
Basically being the `tun0` interface of a VPN, the traffic should reach the Internet via `tun0` so it will appear masqued by the VPN connection. Basically in plain English what I'm trying to do is: all incoming traffic to the interface `eth0` with a specific source IP must be forwarded to the Internet via the interface `tun0` so it will appear behind a VPN connection.
0
Reply
in flag
NiKiZe
Can you reach internet over `tun0` as well? I think your understanding of what forwarding is is wrong. Could you please verify that you are sure what the source, and destination is in the scenarios you are thinking about. If you have traffic with a destination of "internet" coming in over `tun0` and want that forwarded to the internet, then it is `eth0` that should do MASQUERADE, but that does not work with your explanation of source range.
0
Reply
ge flag
Mazzy
Ok I will review all my assumptions and I will let you know.
0
Reply
ge flag
Mazzy
Also I will review this https://serverfault.com/questions/571801/tunneling-traffic-from-eth0-to-tun0-openvpn-ububtu-12-04 because it is exactly what I'm trying to achieve. thanks anyway
0
Reply
ge flag
Mazzy
but just to explain you the thing because I think I got what you did not understand, the machine with interfaces `eth0` and `tun0` will have to work as a forwarder. take traffic coming in to the interface `eth0` and shot it to the Internet via the `tun0` intertface.
0
Reply
in flag
NiKiZe
So tun0 is now internet and not eth0 What is the IP of the gateway on tun0?
0
Reply
Score:1
avatar Server
in flag
NiKiZe

Since this in the end might be about having traffic from 192.168.100.0/28 go out over tun0 This could be resolved by something like:

ip rule add from 192.168.100.0/28 lookup 10000
ip route add default via ${tun0gwip} table 10000

Also keep the iptables MASQUERADE which is needed unless the tun0 gw can route back to your other network.

0 + 6
ge flag
Mazzy
Thanks I'll try and see if it works. But my question is packets from eth0 should be forwarded to tun0. Why my forward command does not work?
0
Reply
in flag
NiKiZe
`iptables` is not responsible for where traffic is routed, that is the job of the `routing table`
2
Reply
ge flag
Mazzy
I'm not really familiar with `ip rule add` command so I need to explore it but this is what I get `ip rule add from 192.168.100.0/28 lookup 10000 ip: invalid argument '10000' to 'table ID' `
0
Reply
ge flag
Mazzy
I had to install `iproute2` tool. also I have found exactly all the commands needed and `iptables` is necessary at the end of the day otherwise there is no NATing. https://unix.stackexchange.com/questions/490662/how-to-route-traffic-from-br0-to-tun0-when-tun0-is-not-the-default-route-of-the
0
Reply
ge flag
Mazzy
I'm going to upvote your answer @NiKiZe but it's not fully correct in my case. In fact w/o `iptables` won't work.
1
Reply
in flag
NiKiZe
You already had MASQURADE part correct so did not include that. Will update to mention that as well.
0
Reply
Score:0
avatar Server
ge flag
Mazzy

This is the exact combination of commands that solved the issue:

Create a new route table named vpn under

➜  ~ cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
1 vpn

and then run:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o tun0 -s 192.168.100.0/28 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

ip route add default dev tun0 table vpn
ip route add 192.168.100.0/28 dev eth0 table vpn

ip rule add from 192.168.100.0/28 table vpn
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.