Use pi as a VPN gateway for LAN clients, but not for itself Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
CbIP
Posts: 15
Joined: Mon Jan 25, 2021 11:25 am

Use pi as a VPN gateway for LAN clients, but not for itself

Post by CbIP »

Hi all!

I have installed the NordVPN app and AdGuard home on my Pi. I also configured the AdGuard home to act as dns-over-tls server and exposed it to the Internet (forwarded the appropriate ports). I did this to be able to block ads on my mobile phone not only when it is connected to the home wifi, but also when it uses cellular data (you can configure this under Settings → Network & internet → Advanced → Private DNS menu of your Android phone).

To access my private AdGuard DNS I use the subdomain which is linked to the IP from my ISP. This works fine until I establish a VPN connection. In this case all traffic is routed through the VPN tunnel and I cannot connect to my DNS server from the Internet. I cannot link my subdomain to the VPN IP address because it doesn't support port forwarding and blocks all incoming (not established/related) connections. Thus I need to somehow route traffic generated by the Pi itself or which is intended to the Pi through ISP and route forwarded (from LAN clients) traffic through the VPN tunnel. In other words I want any device connected to LAN to use the Pi as a VPN gateway, but route its own traffic through ISP, not through the VPN tunnel.

It was quite simple to configure the Pi as a VPN gateway and route all traffic through tunnel, but I have no idea how to route only forwarded traffic through tunnel. Could somebody helm me with the set up? My LAN network is: 10.10.10.0/24, ISP router: 10.10.10.1, VPN tunnel name: nordlynx.

Thank you!
User avatar
Joulinar
Posts: 4502
Joined: Sat Nov 16, 2019 12:49 am

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by Joulinar »

Hi,

you would need to setup some iptables rules to avoid forwarding your DNS server traffic to the VPN tunnel

@trendy
You are the iptables expert :P
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
trendy
Posts: 292
Joined: Tue Feb 25, 2020 2:54 pm

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by trendy »

Add the following script when the tunnel comes up:

Code: Select all

#!/bin/sh

ip route add to default via 10.10.10.1 table 100
ip rule add iif lo to 10.10.10.0/24 lookup main prio 16000
ip rule add iif lo to default lookup 100 prio 16010
Last edited by trendy on Tue Feb 16, 2021 11:09 am, edited 1 time in total.
CbIP
Posts: 15
Joined: Mon Jan 25, 2021 11:25 am

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by CbIP »

Thank you for the suggestions!

I created a script with the provided contents, but it returns the following error: "Error: argument "internet" is wrong: invalid table ID"

That's how my routing looks when VPN is connected and script is executed:

Code: Select all

 $ sudo ip route show table all
default via 10.10.10.1 dev eth0 table 100
default dev nordlynx table 51820 scope link
default via 10.10.10.1 dev eth0 onlink
10.5.0.0/16 dev nordlynx proto kernel scope link src 10.5.0.2
10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
broadcast 10.5.0.0 dev nordlynx table local proto kernel scope link src 10.5.0.2
local 10.5.0.2 dev nordlynx table local proto kernel scope host src 10.5.0.2
broadcast 10.5.255.255 dev nordlynx table local proto kernel scope link src 10.5.0.2
broadcast 10.10.10.0 dev eth0 table local proto kernel scope link src 10.10.10.100
local 10.10.10.100 dev eth0 table local proto kernel scope host src 10.10.10.100
broadcast 10.10.10.255 dev eth0 table local proto kernel scope link src 10.10.10.100
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1
User avatar
trendy
Posts: 292
Joined: Tue Feb 25, 2020 2:54 pm

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by trendy »

Sorry for the typo, replace internet with 100. I have fixed the post above too.
CbIP
Posts: 15
Joined: Mon Jan 25, 2021 11:25 am

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by CbIP »

Works like a charm!

Two little remarks for those who might want repeat the process.

I. You should also create a script:

Code: Select all

#!/bin/sh

ip rule del from all to 10.10.10.0/24 iif lo lookup main
ip rule del from all iif lo lookup 100
and run it (as root) after the vpn is disconnected. Otherwise the NordVPN app will create its forwarding rules with lower priority thus local traffic will be forwarded through vpn next time you connect.

II. If you have similar to the following firewall rules in FORWARD section:
1. Accept if input interface is eth0 and output interface is nordlynx
2. Accept if input interface is nordlynx and state of connection is established, related
Then the KillSwitch feature will also work. To disable it you should delete "nordlynx" protocol from both of these rules:
1. Accept if input interface is eth0
2. Accept if output interface is eth0 and state of connection is established, related
The default action should be set to DROP.

@trendy, thank you very much for the help!

A question for the possible future improvement: is it possible to forward a certain traffic (which goes to/from a certain port or address) to be forwarded into the vpn tunnel? Or even reverse the configuration, i.e. forward everything except certain traffic (DNS, and http server)?
User avatar
trendy
Posts: 292
Joined: Tue Feb 25, 2020 2:54 pm

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by trendy »

CbIP wrote: Tue Feb 16, 2021 6:22 pm @trendy, thank you very much for the help!

A question for the possible future improvement: is it possible to forward a certain traffic (which goes to/from a certain port or address) to be forwarded into the vpn tunnel? Or even reverse the configuration, i.e. forward everything except certain traffic (DNS, and http server)?
You're welcome!
I am not sure I understand the question. But generally you can do port forwarding with DNAT.
CbIP
Posts: 15
Joined: Mon Jan 25, 2021 11:25 am

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by CbIP »

I meant the following examples:
1. All forwarded (i.e. from LAN clients) traffic should go through VPN tunnel; Local traffic should go through ISP by default, except traffic from Transmission (which listens to port 22333) or traffic which goes to 173.194.73.101. These two types of traffic also should go through VPN tunnel.
2. All forwarded (i.e. from LAN clients) traffic should go through VPN tunnel; Local traffic should also go through VPN tunnel by default, except traffic from AdGuard (which listens to ports 853 TCP and 8434 TCP) or traffic which goes to 173.194.73.101. These two types of traffic should go through ISP.

I think such setup is much more complex. I also try to learn some networking on my setup...
User avatar
trendy
Posts: 292
Joined: Tue Feb 25, 2020 2:54 pm

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by trendy »

CbIP wrote: Tue Feb 16, 2021 7:58 pm I meant the following examples:
1. All forwarded (i.e. from LAN clients) traffic should go through VPN tunnel; Local traffic should go through ISP by default, except traffic from Transmission (which listens to port 22333) or traffic which goes to 173.194.73.101. These two types of traffic also should go through VPN tunnel.
Forwarded packets from lan hosts will use the main routing table. So you should have the tunnel interface with lower metric for that.
You can apply some exceptions based on ports.

Code: Select all

dietpi@RockPi:[~]$ ip rule help
Usage: ip rule { add | del } SELECTOR ACTION
       ip rule { flush | save | restore }
       ip rule [ list [ SELECTOR ]]
SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]
            [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]
            [ uidrange NUMBER-NUMBER ]
            [ ipproto PROTOCOL ]
            [ sport [ NUMBER | NUMBER-NUMBER ]
            [ dport [ NUMBER | NUMBER-NUMBER ] ]
ACTION := [ table TABLE_ID ]
          [ protocol PROTO ]
          [ nat ADDRESS ]
          [ realms [SRCREALM/]DSTREALM ]
          [ goto NUMBER ]
          SUPPRESSOR
SUPPRESSOR := [ suppress_prefixlength NUMBER ]
              [ suppress_ifgroup DEVGROUP ]
TABLE_ID := [ local | main | default | NUMBER ]
sport can be used for transmission and to PREFIX for the IP.
CbIP wrote: Tue Feb 16, 2021 7:58 pm 2. All forwarded (i.e. from LAN clients) traffic should go through VPN tunnel; Local traffic should also go through VPN tunnel by default, except traffic from AdGuard (which listens to ports 853 TCP and 8434 TCP) or traffic which goes to 173.194.73.101. These two types of traffic should go through ISP.

I think such setup is much more complex. I also try to learn some networking on my setup...
Again the same principle.
CbIP
Posts: 15
Joined: Mon Jan 25, 2021 11:25 am

Re: Use pi as a VPN gateway for LAN clients, but not for itself

Post by CbIP »

Thank you very much! Exactly what I was looking for. I will try to adjust rules in the future.
Post Reply