Routing LAN through VPN CLient

I hope you can help me. I have read so many how to’s and also looked into this forum. But I cant get it work.
What I want is to use my Dietpi as gateway for my LAN. On the Dietpi is NordVpn installed. Everything on the Dietpi works fine, the tunnel tun0 is connecting properly.

My LAN is 192.168.4.0/24
The gateway of tun0 is 10.8.1.1

What I have already done is:
net.ipv4.ip_forward = 1

redirect-gateway def1 in .ovpn (I dont know if this is necessary)

I tried with iptables and routings but it didnt work.

I’m not good at networking, but I found a working iptables in this thread https://dietpi.com/forum/t/tunnel-dietpi-through-openvpn/765/7 and when I compare it to yours, there are some differences:

The working config is like (I edited it to match you IPs / interfaces):

Destination             Gateway             Netmask             Interface
Default route           10.8.1.1            128.0.0.0           tun0
Default Route           192.168.4.15        0.0.0.0             eth0
10.8.1.0                10.8.1.1	    255.255.255.255   	tun0
10.8.1.1    		none                255.255.255.255    	tun0
128.0.0.0               10.8.1.1   	    128.0.0.0           tun0
178.175.131.59        	192.168.4.15        255.255.255.255     eth0
192.168.4.0             none                255.255.255.0       eth0

So you are missing these two?

10.8.1.0                10.8.1.1	    255.255.255.255   	tun0
10.8.1.1    		none                255.255.255.255    	tun0

And this entry in your IPtables is wrong?

10.8.1.0    		none                255.255.255.0    	tun0

But as I said before, IDK what this is doing, I just compared a working config with yours and somebody should have a qualified look over this!

Question as well, did you set your DietPi device as Gateway on your LAN clients?

Jappe
Thanks a lot. These are the default routes when vpn is connected.
I dont know if they are correct or not. On dietpi everthing works fine.
I will check your suggestion.

Joulinar
Yes, the IP of dietpi is 192.168.4.33, so the default gateway is set on LAN clients.

Have you enabled masquerade on the tunnel interface?
iptables-save -c ; ip -4 ad; ip -4 ro; ip -4 ru

Yes masquerade has been enabled:

sudo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE

Please post all the commands mentioned in my previous post.

trendy

Ok here is the result.
I restarted the system. So no iptables are active.

It won’t work without masquerading, that’s for sure. So you’ll need to add the masquerade.
Another thing to try is to capture the packets: apt update; apt install tcpdump
Then run a packet capture on the eth0 interface to verify that the lan hosts use the Pi as a router: tcpdump -i eth0 -evn host 8.8.4.4
Run a ping to 8.8.4.4 and verify that you can see the packets.
If you can see them, run again the same capture on tunnel interface: tcpdump -i tun0 -evn host 8.8.4.4

No packets arrives while Iam running tcpdump -i eth0 -evn host 8.8.4.4 and ping to 8.8.4.4

The default gateway is definitely correct set on the LAN side.
I can see packets when Iam running tcpdump -i eth0 -evn host 192.168.4.33

192.168.4.28 > 192.168.4.33: ICMP echo request, id 1, seq 152, length 40
192.168.4.33 > 192.168.4.28: ICMP echo reply, id 1, seq 152, length 40

How can add masquerade?

In this way:?
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Evidently it is not correct, otherwise you’d see them.

Because you are pinging the RPi.

Yes, but you first need to fix the gateway.
What is the routing table of the lan host? route print in windows or ip -4 ro in linux.

I do unterstand. Here is the routing table.

Do a traceroute 8.8.4.4 , the first hop should be the .33
And post the iptables-save -c from RPi.

On my PC tracert 8.8.4.4 gives me “Request timed out” :frowning:
Don’t know why. Rpi has 192.168.4.33, so at least the first hop should be reachable.

The routing table from rpi:

Something is odd:
In your first post tun0 was in 10.8.1.0/24, in another post it was in 10.8.2.0/24 and now it is in 10.8.0.0/24?!

Do you have another PC to try?

I tried on another PC, it works :smiley:
I dont know why my PC sucks…

Thanks everyone.

and you are sure the 2nd PC is using the correct gateway?

Yes, I’ve tested on several machines.
I changed the default gateway to 192.168.4.33 manually.
It works.

So what must be done:

net.ipv4.ip_forward = 1
sudo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT