Need VPN iproute help

Hello,

my current ip routes look like this

root@dietpi:~# sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i eth1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth1 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
root@dietpi:~# sudo ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i eth1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth1 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

But I want to forward all traffic from the wlan0 interface to tun1

Therefore I want to use this rules

iptables -A FORWARD -i tun1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun1 -j ACCEPT

how can I delete this rules

-A FORWARD -i eth1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth1 -j ACCEPT

forever ?

@trendy maybe you can have a look. Thx

sudo iptables -D FORWARD -i eth1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -D FORWARD -i wlan0 -o eth1 -j ACCEPT

Check then your current iptables with iptables-save.
If you run into problems just reboot.
If everything looks fine and functions as expected, make it persistent with:

iptables-save > /etc/iptables/rules.v4

If you use ipv6 you have to use ip6tables, ip6tables-save and rules.v6.

ok i tried the commands above

sudo iptables -D FORWARD -i eth1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -D FORWARD -i wlan0 -o eth1 -j ACCEPT
sudo iptables -A FORWARD -i tun1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun1 -j ACCEPT

output of iptables is

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -i wlan0 -o tun1 -j ACCEPT
-A FORWARD -i tun1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

But now i don’t have any internet connections anymore…

Goal is
to route the wlan0 treffic through tun1…eth1 traffic should not be routed through tun1

@Jappe or @trendy thank you for your help

Because you deleted the rules, that was what you asked for
Can you please share more info about your setup and what you want to achieve?
Your route to the Internet is via eth0 and you want to connect devices via wifi, but they should be tunneld though a VPN?
And is this right that you have several tunnel interfaces, wg0 and tun 1?

Yes,

So Internet access is via eth0…
And I want to connect devices via wlan0 (hotspot) and only these devices/this traffic should be routed via tun1 (VPN tunnel). The standard traffic should be routed via eth0 without tunneling.

My devices are
eth0: Internet acces
wg0: wireguard server from outside
wlan0: hotspot
tun0: open vpn server currently unused
tun1: open vpn client

I think this also needs adjustment of default routes, let’s wait for @trendy

What is the output of the following:

ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c

vpn client not started:

# ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.178.25/24 brd 192.168.178.255 scope global dynamic eth1
       valid_lft 811184sec preferred_lft 811184sec
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.42.1/24 brd 192.168.42.255 scope global wlan0
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.9.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.178.1 dev eth1 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.9.0.0/24 dev wg0 proto kernel scope link src 10.9.0.1 
192.168.42.0/24 dev wlan0 proto kernel scope link src 192.168.42.1 
192.168.178.0/24 dev eth1 proto kernel scope link src 192.168.178.25 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
broadcast 10.9.0.0 dev wg0 table local proto kernel scope link src 10.9.0.1 
local 10.9.0.1 dev wg0 table local proto kernel scope host src 10.9.0.1 
broadcast 10.9.0.255 dev wg0 table local proto kernel scope link src 10.9.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.42.0 dev wlan0 table local proto kernel scope link src 192.168.42.1 
local 192.168.42.1 dev wlan0 table local proto kernel scope host src 192.168.42.1 
broadcast 192.168.42.255 dev wlan0 table local proto kernel scope link src 192.168.42.1 
broadcast 192.168.178.0 dev eth1 table local proto kernel scope link src 192.168.178.25 
local 192.168.178.25 dev eth1 table local proto kernel scope host src 192.168.178.25 
broadcast 192.168.178.255 dev eth1 table local proto kernel scope link src 192.168.178.25 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jan 29 13:36:33 2024
*filter
:INPUT ACCEPT [68564:10386972]
:FORWARD ACCEPT [560:186445]
:OUTPUT ACCEPT [52917:8337927]
[147492:158813905] -A FORWARD -i eth1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[48534:9407481] -A FORWARD -i wlan0 -o eth1 -j ACCEPT
[608:64791] -A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Mon Jan 29 13:36:33 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jan 29 13:36:33 2024
*nat
:PREROUTING ACCEPT [13587:1250914]
:INPUT ACCEPT [9099:579438]
:OUTPUT ACCEPT [19353:1460497]
:POSTROUTING ACCEPT [5176:348107]
[18430:1698413] -A POSTROUTING -o eth1 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.42.0/24 -o eth1 -j MASQUERADE
[0:0] -A POSTROUTING -s 10.9.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Jan 29 13:36:33 2024

vpn client started:

# ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.178.25/24 brd 192.168.178.255 scope global dynamic eth1
       valid_lft 811092sec preferred_lft 811092sec
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.42.1/24 brd 192.168.42.255 scope global wlan0
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.9.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
7: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.6.19.10/24 scope global tun1
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.6.19.1 dev tun1 
default via 192.168.178.1 dev eth1 
10.6.19.0/24 dev tun1 proto kernel scope link src 10.6.19.10 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.9.0.0/24 dev wg0 proto kernel scope link src 10.9.0.1 
31.171.154.136 via 192.168.178.1 dev eth1 
128.0.0.0/1 via 10.6.19.1 dev tun1 
192.168.42.0/24 dev wlan0 proto kernel scope link src 192.168.42.1 
192.168.178.0/24 dev eth1 proto kernel scope link src 192.168.178.25 
broadcast 10.6.19.0 dev tun1 table local proto kernel scope link src 10.6.19.10 
local 10.6.19.10 dev tun1 table local proto kernel scope host src 10.6.19.10 
broadcast 10.6.19.255 dev tun1 table local proto kernel scope link src 10.6.19.10 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
broadcast 10.9.0.0 dev wg0 table local proto kernel scope link src 10.9.0.1 
local 10.9.0.1 dev wg0 table local proto kernel scope host src 10.9.0.1 
broadcast 10.9.0.255 dev wg0 table local proto kernel scope link src 10.9.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.42.0 dev wlan0 table local proto kernel scope link src 192.168.42.1 
local 192.168.42.1 dev wlan0 table local proto kernel scope host src 192.168.42.1 
broadcast 192.168.42.255 dev wlan0 table local proto kernel scope link src 192.168.42.1 
broadcast 192.168.178.0 dev eth1 table local proto kernel scope link src 192.168.178.25 
local 192.168.178.25 dev eth1 table local proto kernel scope host src 192.168.178.25 
broadcast 192.168.178.255 dev eth1 table local proto kernel scope link src 192.168.178.25 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jan 29 13:38:06 2024
*filter
:INPUT ACCEPT [68874:10430641]
:FORWARD ACCEPT [560:186445]
:OUTPUT ACCEPT [53142:8367240]
[147492:158813905] -A FORWARD -i eth1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[48534:9407481] -A FORWARD -i wlan0 -o eth1 -j ACCEPT
[608:64791] -A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Mon Jan 29 13:38:06 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jan 29 13:38:06 2024
*nat
:PREROUTING ACCEPT [13596:1251619]
:INPUT ACCEPT [9108:580143]
:OUTPUT ACCEPT [19403:1463888]
:POSTROUTING ACCEPT [5191:349075]
[18465:1700836] -A POSTROUTING -o eth1 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.42.0/24 -o eth1 -j MASQUERADE
[0:0] -A POSTROUTING -s 10.9.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Jan 29 13:38:06 2024

Given the requirement to route only the hotspot over vpn, I would suggest the following.

1. Filter the default gateway from the OpenVPN client.

cat << EOF >> /etc/openvpn/client.conf
pull-filter ignore redirect-gateway
route-nopull
EOF

2. Now your default gateway remains the eth1 after the VPN is up.
3. Isolate the hostspot and route it over the VPN

ip rule add from 192.168.42.0/24 lookup 42
ip route add default via 10.6.19.1 dev tun1 table 42

4. Fix the firewall

iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o tun1 -j MASQUERADE
iptables -t filter -A FORWARD -i wlan0 -o tun1 -j ACCEPT

5. You probably want to delete the other firewall rules to allow from wlan0 to eth1 if you want them isolated.

your commands are good…

if the tun1 ip is changeing I need to add always the ip rule

ip route add default via *10.6.19.1* dev tun1 table 42

Or can I write a general one…like

ip route add default via dev tun1 table 42

?

You can try your luck without the gateway. If it doesn’t work change it with the gateway.

It’s not possible

Error: any valid address is expected rather than "dev".

ip route add default dev tun1 table 42

It’s amazing and charming your help

How can I do now these commands/changes permanent?

ip rule add from 192.168.42.0/24 lookup 42
ip route add default dev tun1 table 42
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o tun1 -j MASQUERADE
iptables -t filter -A FORWARD -i wlan0 -o tun1 -j ACCEPT

You can use iptables-save

Is than also the ip-route ip-rules stored?

I would add them in the VPN up-script.

I would add them in the VPN up-script.

How can I do this?

I guess it depends on whether you are using some dietpi-vpn or plain systemctl to bring up the vpn service.