I have been dealing with this hassle for almost two months. I will explain the situation. I work from home and to access most of my company services I have to use an openvpn client. The thing is that I have three computers at home, one general purpose server, my personal computer and a company laptop. I already set up long ago a nat and routes to access from my personal computer to the company's servers going through the openvpn client running on my laptop. I'm worried about it's battery because I let it on every day plugged into its charger so after thinking a lot I decided to move the openvpn client inside a container on my server to use it as a router to connect into the company's servers.
I set up the container using a macvlan with a ip range of my local network, privileged and net_admin permissions. After months of trial and error I just got it working once, then my server died and I did forget what iptables I did put on the container to make it work. I did not write it in the entry-point script because of lack of time and now I have to deal with this once again.
Everything on the openvpn server, the company's network and servers knows how to route back every ip of the vpn clients.
What I need to do now it's to route my local network through the openvpn client inside a container .
Details:
- Local network: 192.168.0.0/24
- Local gateway: 192.168.0.1
- PC:192.168.0.17
- Home server: 192.168.0.16
- Container: 192.168.0.242
- OpenVPN client: 10.1.2.4
- OpenVPN gateway: 10.1.2.1
- Company's Server range: 192.168.2-19.0/24
On my home server (192.168.0.16) it works perfectly. I only had to add some routes pointing to the container IP like this. ip route add 192.168.19.0/24 via 192.168.0.242
But what I can't get to work it's the rest of the local network. On my personal computer I set up a router pointing to the container ip (192.168.0.242) for the company's server range as I did on my server.
If I run a ping to any of them I can see with tcpdump and tshark that it's reaching its destination on the other side (PC > Home Server > Container > VPN Client > VPN Server > Gateway > Server) This reaches its destination as intended but when it goes back to my pc (Server > Gateway > VPN Server > VPN Client )
The ping reply comes back and dies on the container so the problem I must deal now is how to make the container nat or forward that package to my personal computer.
I know for sure that it's only iptables rules that I need to add or remove inside the container.
On my entry-point I have these iptables that are loaded after the open vpn client starts.
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
If it worth mentioning only with these rules I got it working on my laptop.
Also the container can reach everything on both sides, ping to one of the company's servers and ping it's own host or ping my personal computer perfectly.