Score:0

Server

Redirect traffic from an interface to a VPN tun interface with iptables

Mazzy

12/4/22, 2:16 PM

I'm trying to achieve something easy but apparently I'm missing something.

In my box I have a VPN client running which created a tun0 interface. The box has external traffic coming from the eth0.

I would like to forward the traffic from eth0 to tun0. I run the following commands:

iptables -A FORWARD -i eth0 -o tun0 -s 192.168.100.0/28 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -o tun0 -j MASQUERADE

Note that I select the source IPs range because I want to forward only certain range.

Running tcpdump on the eth0 interface I can see the traffic coming in from a machine in the range 192.168.100.0/28 but I can't see traffic going into tun0.

IP forwarding is naturally on.

I'm not sure what I'm really missing here.

IP configuration of eth0 is 192.168.10.93/24 while tun0 is 10.8.8.15/24

➜  ~ ip r
default via 192.168.10.1 dev eth0  metric 100
10.8.8.0/24 dev tun0 scope link  src 10.8.8.15
172.17.0.0/16 dev docker0 scope link  src 172.17.0.1
172.30.32.0/23 dev hassio scope link  src 172.30.32.1
192.168.10.0/24 dev eth0 scope link  src 192.168.10.93  metric 100

1206

2 + 12

iptables

Mazzy

12/4/22, 2:59 PM

The traffic that get into the box does not have destination `192.168.100.0/28` but it has source `192.168.100.0/28`. the destination is the Internet.

Mazzy

12/4/22, 3:00 PM

IP configuration of `eth0` is `192.168.10.93/24` while `tun0` is `10.8.8.15/24`.

Mazzy

12/4/22, 3:00 PM

`➜ ~ ip r default via 192.168.10.1 dev eth0 metric 100 10.8.8.0/24 dev tun0 scope link src 10.8.8.15 172.17.0.0/16 dev docker0 scope link src 172.17.0.1 172.30.32.0/23 dev hassio scope link src 172.30.32.1 192.168.10.0/24 dev eth0 scope link src 192.168.10.93 metric 100 `

Mazzy

12/4/22, 3:06 PM

sure. added the required changes

Mazzy

12/4/22, 3:17 PM

the destination of the traffic is the Internet generic external IPs. basically a machine generates Internet traffic that is forwarded to the `eth0` interface of this box and from `eth0` must be forwarded to `tun0` and then finally to the Internet. the most important thing is that the traffic leaves from `tun0` because it's a VPN.

NiKiZe

12/4/22, 3:19 PM

You talk about forwarding from `eth0` (internet) to `tun0` I can not figure out what you actually want to go where. Can you maybe give a better example of a packet that does not work. A packet that should reach the internet should be forwarded to `eth0` since that is your internet.

Mazzy

12/4/22, 3:23 PM

Basically being the `tun0` interface of a VPN, the traffic should reach the Internet via `tun0` so it will appear masqued by the VPN connection. Basically in plain English what I'm trying to do is: all incoming traffic to the interface `eth0` with a specific source IP must be forwarded to the Internet via the interface `tun0` so it will appear behind a VPN connection.

NiKiZe

12/4/22, 3:28 PM

Can you reach internet over `tun0` as well? I think your understanding of what forwarding is is wrong. Could you please verify that you are sure what the source, and destination is in the scenarios you are thinking about. If you have traffic with a destination of "internet" coming in over `tun0` and want that forwarded to the internet, then it is `eth0` that should do MASQUERADE, but that does not work with your explanation of source range.

Mazzy

12/4/22, 3:30 PM

Ok I will review all my assumptions and I will let you know.

Mazzy

12/4/22, 3:33 PM

Also I will review this https://serverfault.com/questions/571801/tunneling-traffic-from-eth0-to-tun0-openvpn-ububtu-12-04 because it is exactly what I'm trying to achieve. thanks anyway

Mazzy

12/4/22, 3:40 PM

but just to explain you the thing because I think I got what you did not understand, the machine with interfaces `eth0` and `tun0` will have to work as a forwarder. take traffic coming in to the interface `eth0` and shot it to the Internet via the `tun0` intertface.

NiKiZe

12/4/22, 4:07 PM

So tun0 is now internet and not eth0 What is the IP of the gateway on tun0?

Score:1

Server

NiKiZe

12/4/22, 4:14 PM

Since this in the end might be about having traffic from 192.168.100.0/28 go out over tun0 This could be resolved by something like:

ip rule add from 192.168.100.0/28 lookup 10000
ip route add default via ${tun0gwip} table 10000

Also keep the iptables MASQUERADE which is needed unless the tun0 gw can route back to your other network.

0 + 6

Mazzy

12/4/22, 4:30 PM

Thanks I'll try and see if it works. But my question is packets from eth0 should be forwarded to tun0. Why my forward command does not work?

NiKiZe

12/4/22, 4:34 PM

`iptables` is not responsible for where traffic is routed, that is the job of the `routing table`

Mazzy

12/4/22, 6:56 PM

I'm not really familiar with `ip rule add` command so I need to explore it but this is what I get `ip rule add from 192.168.100.0/28 lookup 10000 ip: invalid argument '10000' to 'table ID' `

Mazzy

12/4/22, 7:12 PM

I had to install `iproute2` tool. also I have found exactly all the commands needed and `iptables` is necessary at the end of the day otherwise there is no NATing. https://unix.stackexchange.com/questions/490662/how-to-route-traffic-from-br0-to-tun0-when-tun0-is-not-the-default-route-of-the

Mazzy

12/4/22, 8:35 PM

I'm going to upvote your answer @NiKiZe but it's not fully correct in my case. In fact w/o `iptables` won't work.

NiKiZe

12/4/22, 8:50 PM

You already had MASQURADE part correct so did not include that. Will update to mention that as well.

Score:0

Server

Mazzy

12/4/22, 8:33 PM

This is the exact combination of commands that solved the issue:

Create a new route table named vpn under

➜  ~ cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
1 vpn

and then run:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o tun0 -s 192.168.100.0/28 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

ip route add default dev tun0 table vpn
ip route add 192.168.100.0/28 dev eth0 table vpn

ip rule add from 192.168.100.0/28 table vpn

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Redirect traffic from an interface to a VPN tun interface with iptables

TH: เปลี่ยนเส้นทางการรับส่งข้อมูลจากอินเทอร์เฟซไปยังอินเทอร์เฟซ VPN tun ด้วย iptables

RO: Redirecționați traficul de la o interfață la o interfață VPN tun cu iptables

RU: Перенаправление трафика с интерфейса на интерфейс настройки VPN с помощью iptables

VI: Chuyển hướng lưu lượng truy cập từ giao diện sang giao diện điều chỉnh VPN bằng iptables

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.