Routing LAN through VPN CLient

SCOE · 12 March 2022 15:05

I hope you can help me. I have read so many how to’s and also looked into this forum. But I cant get it work.
What I want is to use my Dietpi as gateway for my LAN. On the Dietpi is NordVpn installed. Everything on the Dietpi works fine, the tunnel tun0 is connecting properly.

My LAN is 192.168.4.0/24
The gateway of tun0 is 10.8.1.1

What I have already done is:
net.ipv4.ip_forward = 1

redirect-gateway def1 in .ovpn (I dont know if this is necessary)

I tried with iptables and routings but it didnt work.

Jappe · 12 March 2022 17:10

I’m not good at networking, but I found a working iptables in this thread https://dietpi.com/forum/t/tunnel-dietpi-through-openvpn/765/7 and when I compare it to yours, there are some differences:

The working config is like (I edited it to match you IPs / interfaces):

Destination             Gateway             Netmask             Interface
Default route           10.8.1.1            128.0.0.0           tun0
Default Route           192.168.4.15        0.0.0.0             eth0
10.8.1.0                10.8.1.1	    255.255.255.255   	tun0
10.8.1.1    		none                255.255.255.255    	tun0
128.0.0.0               10.8.1.1   	    128.0.0.0           tun0
178.175.131.59        	192.168.4.15        255.255.255.255     eth0
192.168.4.0             none                255.255.255.0       eth0

So you are missing these two?

10.8.1.0                10.8.1.1	    255.255.255.255   	tun0
10.8.1.1    		none                255.255.255.255    	tun0

And this entry in your IPtables is wrong?

10.8.1.0    		none                255.255.255.0    	tun0

But as I said before, IDK what this is doing, I just compared a working config with yours and somebody should have a qualified look over this!

Joulinar · 12 March 2022 17:36

Question as well, did you set your DietPi device as Gateway on your LAN clients?

SCOE · 13 March 2022 08:39

Jappe
Thanks a lot. These are the default routes when vpn is connected.
I dont know if they are correct or not. On dietpi everthing works fine.
I will check your suggestion.

Joulinar
Yes, the IP of dietpi is 192.168.4.33, so the default gateway is set on LAN clients.

trendy · 14 March 2022 08:38

Have you enabled masquerade on the tunnel interface?
iptables-save -c ; ip -4 ad; ip -4 ro; ip -4 ru

SCOE · 14 March 2022 11:48

Yes masquerade has been enabled:

sudo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE

trendy · 14 March 2022 13:08

Please post all the commands mentioned in my previous post.

SCOE · 14 March 2022 13:16

trendy

Ok here is the result.
I restarted the system. So no iptables are active.

trendy · 15 March 2022 09:07

It won’t work without masquerading, that’s for sure. So you’ll need to add the masquerade.
Another thing to try is to capture the packets: apt update; apt install tcpdump
Then run a packet capture on the eth0 interface to verify that the lan hosts use the Pi as a router: tcpdump -i eth0 -evn host 8.8.4.4
Run a ping to 8.8.4.4 and verify that you can see the packets.
If you can see them, run again the same capture on tunnel interface: tcpdump -i tun0 -evn host 8.8.4.4

SCOE · 15 March 2022 10:33

No packets arrives while Iam running tcpdump -i eth0 -evn host 8.8.4.4 and ping to 8.8.4.4

The default gateway is definitely correct set on the LAN side.
I can see packets when Iam running tcpdump -i eth0 -evn host 192.168.4.33

192.168.4.28 > 192.168.4.33: ICMP echo request, id 1, seq 152, length 40
192.168.4.33 > 192.168.4.28: ICMP echo reply, id 1, seq 152, length 40

How can add masquerade?

In this way:?
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

trendy · 15 March 2022 21:28

Evidently it is not correct, otherwise you’d see them.

I can see packets when Iam running tcpdump -i eth0 -evn host 192.168.4.33
192.168.4.28 > 192.168.4.33: ICMP echo request, id 1, seq 152, length 40
192.168.4.33 > 192.168.4.28: ICMP echo reply, id 1, seq 152, length 40

Because you are pinging the RPi.

Yes, but you first need to fix the gateway.
What is the routing table of the lan host? route print in windows or ip -4 ro in linux.

SCOE · 15 March 2022 22:17

I do unterstand. Here is the routing table.

trendy · 15 March 2022 22:35

Do a traceroute 8.8.4.4 , the first hop should be the .33
And post the iptables-save -c from RPi.

SCOE · 16 March 2022 07:48

On my PC tracert 8.8.4.4 gives me “Request timed out”
Don’t know why. Rpi has 192.168.4.33, so at least the first hop should be reachable.

The routing table from rpi:

Jappe · 16 March 2022 13:58

Something is odd:
In your first post tun0 was in 10.8.1.0/24, in another post it was in 10.8.2.0/24 and now it is in 10.8.0.0/24?!

trendy · 16 March 2022 15:16

Do you have another PC to try?

SCOE · 17 March 2022 06:54

I tried on another PC, it works
I dont know why my PC sucks…

Thanks everyone.

Joulinar · 17 March 2022 12:12

and you are sure the 2nd PC is using the correct gateway?

SCOE · 17 March 2022 12:23

Yes, I’ve tested on several machines.
I changed the default gateway to 192.168.4.33 manually.
It works.

So what must be done:

net.ipv4.ip_forward = 1
sudo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

aditya333 · 30 October 2024 10:31

@SCOE

Hey, this was a god sent reply. However, it doesn’t work for me now after reboot. It does work when I am installing tailscale for the first time and then adding these routes on the tailscale subnet router. But after reboot, it stops working. I am persisting the routes using iptables-persist.

Any idea what could be the issue or how I could debug this?