Forward virbr0 (VM) traffic through IPSec tunnel

Jochen

11/11/23, 2:33 PM

I have a virbr0 interface, created by libvirt with

inet 10.1.2.1  netmask 255.255.255.0  broadcast 10.1.2.255

There's an active IPSec tunnel with

leftsubnet=10.1.2.0/24
rightsubnet=192.168.160.0/20

The VMs are able to reach 192.168.160.0/20 but now I would like the VMs to have all their traffic redirected to 192.168.168.254 instead of using the default gateway of the machine.

I thought I could use something like this:

iptables -t nat -A PREROUTING -i virbr0 -d 0.0.0.0/0 -j DNAT --to-destination 192.168.168.254

but that does not work. Am I missing something or am I using the wrong approach?

Thanks!

191

1 + 0

iptables

ipsec

site-to-site-vpn

libvirt

Score:0

Server

Martin

11/11/23, 3:04 PM

I am assuming here that your VMs have IPs inside the 10.1.2.0/24 subnet, otherwise it should be obvious why it doesn't work.

Lets assume your VM wants to open a connection to the website example.org. With your above statement, you redirect this connection attempt to the router inside the 192.168.160.0/20 subnet, which obviously has no idea about the website example.org.

First, you would need routing for this, not DNAT (to preserve the IP which must be reached!). Second, you obviously misunderstood how IPsec tunnels work: Only the agreed subnets are allowed through the ipsec tunnel. Which means: the VM trying to open website example.org opens a connection to its resolved IP, lets say this would be IP 1.2.3.4. The connection comes from the left side, so this IP must be inside one of the right subnets. Since it is not, it cannot go through the IPsec tunnel.

If you want to route all traffic through a tunnel, you need a different kind of VPN for this!

+ 1

Jochen

11/11/23, 3:15 PM

Thanks! This helps a lot

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Forward virbr0 (VM) traffic through IPSec tunnel

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.