Score:0

How to deal with DNS requests when using multiple OpenVPN connection and policy based route?

de flag

I have 2 subnets in my local network (192.168.4.0/24, 192.168.5.0/24), but only 1 gateway server (192.168.4.223) which has 2 OpenVPN connections (10.100.2.6/24, 10.100.3.6/24). The topology is like: enter image description here

I want computers in 192.168.4.0/24 (such as Computer B) to connect to the Internet via OpenVPN server 2 and computers in 192.168.5.0/24 (such as Computer A) to connect to the Internet via OpenVPN server 1.

On OPENWRT router:

## What I did:
vi /etc/iproute2/rt_tables 
...
110    myovp   # Add a table for 192.168.5.0/24
...
# Then add rules for iproute2 and iptables:
ip rule add fwmark 110 table 110
ip rule add to 192.168.4.0/24 table main
ip route add default via 192.168.4.223 dev br-lan_1 table 110
iptables -t mangle -A PREROUTING -i br-lan_2 -j MARK --set-mark 110

## Some outputs:
# Output of `ip rule`:
0:      from all lookup local
32764:  from all to 192.168.4.0/24 lookup main
32765:  from all fwmark 0x6e lookup myovp
32766:  from all lookup main
32767:  from all lookup default
# Output of `ip route show`:
192.168.4.0/24 dev br-lan_1 proto kernel scope link src 192.168.4.1
192.168.5.0/24 dev br-lan_2 proto kernel scope link src 192.168.5.1
# Output of `ip route show table 110`:
default via 192.168.4.223 dev br-lan_1
# Output of `iptables -t mangle -L PREROUTING -v`
Chain PREROUTING (policy ACCEPT 871K packets, 177M bytes)
 pkts bytes target     prot opt in     out     source               destination
28030 1954K MARK       all  --  br-lan_2 any     anywhere             anywhere             MARK set 0x6e

On Debian Gateway Server:

## What I did:
vi /etc/iproute2/rt_tables 
...
110    myovp   # Add a table for 192.168.5.0/24
...
# Then add rules for iproute2 and iptables:
ip rule add fwmark 110 table 110
ip rule add to 192.168.4.0/24 table main
ip rule add to 192.168.5.0/24 table main
ip route add default via 10.100.2.1 dev tun0 table 110
ip route add 192.168.5.0/24 via 192.168.4.1 dev enp4s0
iptables -t mangle -A PREROUTING -i enp4s0 -s 192.168.5.0/24 -j MARK --set-mark 110
# Then add rules for NAT and FORWARD:
iptables -A FORWARD -i enp4s0 -j ACCEPT
iptables -A FORWARD -i tun1 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp4s0 -o tun1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp4s0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o tun1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o tun0 -j MASQUERADE

## Some outputs:
# Output of `ip addr`:
...
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.100.3.6/24 scope global tun1
       valid_lft forever preferred_lft forever
    inet6 fe80::fd55:444a:552a:a454/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.100.2.6/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::af61:acf1:4e9c:b1a8/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
...
# Output of `ip route show`:
0.0.0.0/1 via 10.100.3.1 dev tun1
default via 192.168.4.1 dev enp4s0 proto static metric 100
10.100.2.0/24 dev tun0 proto kernel scope link src 10.100.2.5
10.100.3.0/24 dev tun1 proto kernel scope link src 10.100.3.5
128.0.0.0/1 via 10.100.3.1 dev tun1
192.168.4.0/24 dev enp4s0 proto kernel scope link src 192.168.4.223 metric 100
192.168.5.0/24 via 192.168.4.1 dev enp4s0
# Output of `ip route show table 110`:
default via 10.100.2.1 dev tun0
# Output of `ip rule`:
0:      from all lookup local
32763:  from all to 192.168.5.0/24 lookup main
32764:  from all to 192.168.4.0/24 lookup main
32765:  from all fwmark 0x6e lookup 110
32766:  from all lookup main
32767:  from all lookup default
# Output of `iptables -t filter -L -v`:
Chain INPUT (policy ACCEPT 30661 packets, 3126K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
2117K  194M ACCEPT     all  --  enp4s0 any     anywhere             anywhere
3394K 4191M ACCEPT     all  --  tun1   enp4s0  anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  enp4s0 tun1    anywhere             anywhere             state RELATED,ESTABLISHED
 1541  133K ACCEPT     all  --  tun0   enp4s0  anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  enp4s0 tun0    anywhere             anywhere             state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 35596 packets, 22M bytes)
 pkts bytes target     prot opt in     out     source               destination
 1044  108K ACCEPT     all  --  any    tun1    anywhere             anywhere
    0     0 ACCEPT     all  --  any    tun0    anywhere             anywhere
# Output of `iptables -t nat -L -v`:
Chain PREROUTING (policy ACCEPT 208K packets, 34M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain INPUT (policy ACCEPT 266 packets, 46150 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 98 packets, 5876 bytes)
 pkts bytes target     prot opt in     out     source               destination
27638 2036K MASQUERADE  all  --  any    tun1    192.168.4.0/24       anywhere
  347 19186 MASQUERADE  all  --  any    tun0    192.168.5.0/24       anywhere
Chain OUTPUT (policy ACCEPT 95 packets, 5636 bytes)
 pkts bytes target     prot opt in     out     source               destination
# Output of `iptables -t mangle -L PREROUTING -v`:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2829  215K MARK       all  --  enp4s0 any     192.168.5.0/24       anywhere             MARK set 0x6e

And on both OpenVPN servers (They are almost the same except for the subnet IP addresses and Internet addresses):

## What I did:
# First set up the OpenVPN server
# Then add rules for NAT and FORWARD:
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.100.2.0/24 -o eth0 -j MASQUERADE

## Some outputs
# Output of `ip addr`:
...
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.100.2.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c31e:ba42:4cb5:d887/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
...
# Output of `iptables -t filter -L -v`:
Chain INPUT (policy ACCEPT 16M packets, 1026M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 1522K packets, 114M bytes)
 pkts bytes target     prot opt in     out     source               destination
 247M  192G ACCEPT     all  --  tun0   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tun0   eth0    anywhere             anywhere             state RELATED,ESTABLISHED
 178M  106G ACCEPT     all  --  eth0   tun0    anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun0   any     10.100.2.0/24        anywhere
Chain OUTPUT (policy ACCEPT 16M packets, 1047M bytes)
 pkts bytes target     prot opt in     out     source               destination
55959 7717K ACCEPT     all  --  any    tun0    anywhere             anywhere
# Output of `iptables -t nat -L -v`:
Chain PREROUTING (policy ACCEPT 27M packets, 1809M bytes)
 pkts bytes target     prot opt in     out     source               destination
 Chain INPUT (policy ACCEPT 11M packets, 605M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 5047 packets, 386K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 996K packets, 83M bytes)
 pkts bytes target     prot opt in     out     source               destination
  16M 1063M MASQUERADE  all  --  any    eth0    10.100.2.0/24        anywhere

Now, the computers in 192.168.4.0/24 (such as Computer B) can connect to the Internet via OpenVPN server 2 prefectly.

But in 192.168.5.0/24, the computers cannot resolve any hostnames. On computer A, ping 8.8.8.8 works fine, and tracert 8.8.8.8 shows it can get to the 8.8.8.8 server via OpenVPN server 1, but nslookup google.com 8.8.8.8 returns Query refused.

Really sorry for such a long post, but I really don't know what to do or what I missed. I'm not a pro of network things, so any specific suggestions and help are appreciated. Thanks!

Score:0
de flag

Problem solved.

Two rules were added to the iptables on OPENWRT by default for some inexplicable reasons:

iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53

really don't know why the guy who sold me the router added them. :(

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.