I'm trying to redirect network traffic for a specific user account (vpnnet) to an OpenVPN server. The tunnel is working fine when the default route is pulled, but I do not want to route all traffic through VPN, only for processes running with a given UID. So I disabled the automatic pulling of the default route and came up with the following:
iptables -t mangle -A OUTPUT -m owner --uid-owner vpnnet -j MARK --set-mark 42
ip route add default via 10.1.1.1 table 42
ip rule add fwmark 42 table 42
iptables -t nat -A POSTROUTING -o tun0 -m mark --mark 42 -j SNAT --to-source 10.1.1.100
The local address is 10.1.1.100
and 10.1.1.1
is the remote gateway.
ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.1.1.100 netmask 255.255.255.0 destination 10.1.1.100
inet6 ****::****::****::****::**** prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 128 bytes 10032 (9.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 108 bytes 8832 (8.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ip route show
default via 172.31.1.1 dev eth0 proto dhcp metric 100
10.1.1.0/24 dev tun0 proto kernel scope link src 10.1.1.100 metric 50
172.31.1.0/24 dev eth0 proto kernel scope link src 172.31.1.100 metric 100
172.31.1.1 dev eth0 proto static scope link metric 100
ip route show table 42
default via 10.1.1.1 dev tun0
When starting a shell under the user vpnuser
and pinging the Google DNS server 8.8.8.8
the ping has 100% packet loss. TcpDump shows that requests are going out and replies are coming in on the correct interface:
tcpdump -nn -vv -i tun0
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
20:33:28.938772 ip: (tos 0x0, ttl 64, id 7713, offset 0, flags [DF], proto ICMP (1), length 84)
10.1.1.100 > 8.8.8.8: ICMP echo request, id 5078, seq 1, length 64
20:33:29.029533 ip: (tos 0x48, ttl 115, id 0, offset 0, flags [none], proto ICMP (1), length 84)
8.8.8.8 > 10.1.1.100: ICMP echo reply, id 5078, seq 1, length 64
20:33:29.938962 ip: (tos 0x0, ttl 64, id 7790, offset 0, flags [DF], proto ICMP (1), length 84)
10.1.1.100 > 8.8.8.8: ICMP echo request, id 5078, seq 2, length 64
20:33:30.029685 ip: (tos 0x48, ttl 115, id 0, offset 0, flags [none], proto ICMP (1), length 84)
8.8.8.8 > 10.1.1.100: ICMP echo reply, id 5078, seq 2, length 64
20:33:30.938838 ip: (tos 0x0, ttl 64, id 8152, offset 0, flags [DF], proto ICMP (1), length 84)
10.1.1.100 > 8.8.8.8: ICMP echo request, id 5078, seq 3, length 64
20:33:31.029179 ip: (tos 0x48, ttl 115, id 0, offset 0, flags [none], proto ICMP (1), length 84)
8.8.8.8 > 10.1.1.100: ICMP echo reply, id 5078, seq 3, length 64
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11001ms
The iptables log does not show any dropped packets.
The operating system is CentOS 7.
I would be very thankful if somebody could point me into the right direction.