Score:0

Routing all Traffic through a VPN Node while accepting incoming WAN Connections

br flag

I want to route all traffic through another VPN-Node, while:

  • Keep the Connection to the VPN-Server active (already works)
  • Still accepting WAN-Connections on that Client.

My Client Node Configuration:

# 35.1.1.1: WAN IP of VPN-Server
# 192.168.8.1: WAN Gateway of Client
# 10.25.0.1: Internal VPN Server IP (not used below)
# 10.25.0.3: VPN Gatway for the Client (The gatway itself is also an Client)

ip route add 35.1.1.1/32 via 192.168.8.1   # protect route to VPN-Server
ip route del default via 192.168.8.1       # remove original default route
ip route add default via 10.25.0.3         # redirect to another VPN Node

When running these commands, the gateway works - Every traffic from the Client node is routed through the VPN Gateway (10.25.0.3), while keeping the connection to the Server (35.1.1.1/10.25.0.1) intact.

The only problem is, the Client will not accepting connections anymore. I read something about fwmarkand sourced based policy rules but I do not get the point what I really need and what commands I need to enter.

Score:0
br flag

To get this working:

  • Disable Reverse Path filtering
  • Add VPN Gateway as pair of 0.0.0.0/1 and 128.0.0.0/1 instead of simply 0.0.0.0/0. See here.
  • Add a custom routing table. See here.

This way doesn't require fwmark or any additional firewall rules.

Here's my working configuration script. I tried to comment as much as possible.

INTERFACE=tun0 # the VPN interface
#REMOTEADDRESS=35.1.1.1 # Real IP of VPN server
REMOTEADDRESS=`dig +short <VPN-Server>` # Enter the hostname of the VPN srever or replace the expression via IP, see above

VPN_GATEWAY=10.25.0.3
#ORIGINAL_GATEWAY="via 192.168.8.1 dev eth0"
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
ORIGINAL_NAMESERVER=`cat /etc/resolv.conf | grep ^nameserver | cut -d ' ' -f 2`

# Disable Reverse Path filtering
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter # ETH device
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter # VPN device

ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY # protect route to VPN-Server
ip route add $ORIGINAL_NAMESERVER $ORIGINAL_GATEWAY # OPTIONAL: protect route to DNS. Required for Google Cloud.
ip route add $VPN_GATEWAY dev $INTERFACE
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE

# Add custom routing table
echo 200 custom >> /etc/iproute2/rt_tables
ip rule add from 192.168.8.100 table custom prio 1 # Real Client IP
ip route del default via 192.168.8.1 # Real Gateway
ip route add default via 192.168.8.1 dev eth0 table custom
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.