Routing all Traffic through a VPN Node while accepting incoming WAN Connections

Arakis

9/5/23, 1:40 PM

I want to route all traffic through another VPN-Node, while:

Keep the Connection to the VPN-Server active (already works)
Still accepting WAN-Connections on that Client.

My Client Node Configuration:

# 35.1.1.1: WAN IP of VPN-Server
# 192.168.8.1: WAN Gateway of Client
# 10.25.0.1: Internal VPN Server IP (not used below)
# 10.25.0.3: VPN Gatway for the Client (The gatway itself is also an Client)

ip route add 35.1.1.1/32 via 192.168.8.1   # protect route to VPN-Server
ip route del default via 192.168.8.1       # remove original default route
ip route add default via 10.25.0.3         # redirect to another VPN Node

When running these commands, the gateway works - Every traffic from the Client node is routed through the VPN Gateway (10.25.0.3), while keeping the connection to the Server (35.1.1.1/10.25.0.1) intact.

The only problem is, the Client will not accepting connections anymore. I read something about fwmarkand sourced based policy rules but I do not get the point what I really need and what commands I need to enter.

0 + 0

vpn

route

connections

tunnel

Score:0

Server

Arakis

9/6/23, 6:04 PM

To get this working:

Disable Reverse Path filtering
Add VPN Gateway as pair of 0.0.0.0/1 and 128.0.0.0/1 instead of simply 0.0.0.0/0. See here.
Add a custom routing table. See here.

This way doesn't require fwmark or any additional firewall rules.

Here's my working configuration script. I tried to comment as much as possible.

INTERFACE=tun0 # the VPN interface
#REMOTEADDRESS=35.1.1.1 # Real IP of VPN server
REMOTEADDRESS=`dig +short <VPN-Server>` # Enter the hostname of the VPN srever or replace the expression via IP, see above

VPN_GATEWAY=10.25.0.3
#ORIGINAL_GATEWAY="via 192.168.8.1 dev eth0"
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
ORIGINAL_NAMESERVER=`cat /etc/resolv.conf | grep ^nameserver | cut -d ' ' -f 2`

# Disable Reverse Path filtering
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter # ETH device
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter # VPN device

ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY # protect route to VPN-Server
ip route add $ORIGINAL_NAMESERVER $ORIGINAL_GATEWAY # OPTIONAL: protect route to DNS. Required for Google Cloud.
ip route add $VPN_GATEWAY dev $INTERFACE
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE

# Add custom routing table
echo 200 custom >> /etc/iproute2/rt_tables
ip rule add from 192.168.8.100 table custom prio 1 # Real Client IP
ip route del default via 192.168.8.1 # Real Gateway
ip route add default via 192.168.8.1 dev eth0 table custom

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Routing all Traffic through a VPN Node while accepting incoming WAN Connections

TH: กำหนดเส้นทางการรับส่งข้อมูลทั้งหมดผ่านโหนด VPN ในขณะที่ยอมรับการเชื่อมต่อ WAN ที่เข้ามา

RO: Dirijarea întregului trafic printr-un nod VPN în timp ce se acceptă conexiunile WAN de intrare

RU: Маршрутизация всего трафика через VPN-узел при приеме входящих подключений WAN

VI: Định tuyến tất cả Lưu lượng thông qua Nút VPN trong khi chấp nhận Kết nối WAN đến

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.