VPN out + OpenVPN in

Having issues with your DietPi installation or found a bug? Post it here.
cotarelo
Posts: 22
Joined: Mon May 11, 2020 10:39 pm

VPN out + OpenVPN in

Post by cotarelo »

Hello,

I had the OpenVPN working successfully and I was able to connect remotely to my home network from abroad 8) The interface is tun0

Now I am looking to anonymize part of my traffic (the deluge one) so I installed a package that installs a VPN client. The interface is tun1

The problem is that when the client is installed and working, I am not able to reach my home network with OpenVPN, I guess it has something to do with routes or iptables. here is my configuration

Code: Select all

root@DietPi:/home/dietpi# route -v
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.117.78.1     128.0.0.0       UG    0      0        0 tun1
default         192.168.31.1    0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.117.78.0     0.0.0.0         255.255.254.0   U     0      0        0 tun1
128.0.0.0       10.117.78.1     128.0.0.0       UG    0      0        0 tun1
192.168.31.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
194.59.249.243  192.168.31.1    255.255.255.255 UGH   0      0        0 eth0

Code: Select all

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:53
DROP       udp  --  anywhere             anywhere             udp dpt:53
ACCEPT     all  --  anywhere             192.168.0.0/16      
ACCEPT     all  --  anywhere             10.0.0.0/8          
ACCEPT     all  --  anywhere             172.16.0.0/12       
ACCEPT     all  --  anywhere             104.20.26.217       
ACCEPT     all  --  anywhere             172.67.17.175       
ACCEPT     all  --  anywhere             assets.windscribe.com 
ACCEPT     all  --  anywhere             172.67.203.127      
ACCEPT     all  --  anywhere             104.21.93.29        
ACCEPT     all  --  anywhere             104.21.53.216       
ACCEPT     all  --  anywhere             172.67.219.39       
ACCEPT     all  --  anywhere             104.21.65.74        
ACCEPT     all  --  anywhere             172.67.189.40       
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             localhost           
ACCEPT     all  --  anywhere             194.59.249.243      

Can anyone advise what am I missing? My home network sits at 192.168.31.X and the network that OpenVPN creates is 10.8.0.X , and the one that the VPN client creates is 10.117.X.X

Thank you
User avatar
MichaIng
Site Admin
Posts: 2783
Joined: Sat Nov 18, 2017 6:21 pm

Re: VPN out + OpenVPN in

Post by MichaIng »

Indeed the initial connection from VPN clients to your server through eth0 is "answered" through the upstream VPN tunnel (hence never reaches the client) because of the routes. When a VPN client connection is up and you concurrently want to allow remote connections to that host, you need to setup a routing table for those, either based on an application user or for initially incoming connections on a certain port or in general.

iptables can be used to mark packets based on conditions and ip rules can be used to apply a different routing table for packets based on the mark.

But I need to dig out the details.
User avatar
Joulinar
Posts: 4249
Joined: Sat Nov 16, 2019 12:49 am

Re: VPN out + OpenVPN in

Post by Joulinar »

usually @trendy has some experience with iptables
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
trendy
Posts: 292
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN out + OpenVPN in

Post by trendy »

You can omit the iptables part, if the rule is something simple.
There was a similar topic here.
In such cases I prefer to leave the default gateway to the ISP and manually add the services or hosts which need to be routed over the tunnel.
User avatar
MichaIng
Site Admin
Posts: 2783
Joined: Sat Nov 18, 2017 6:21 pm

Re: VPN out + OpenVPN in

Post by MichaIng »

Nice, iif for incoming interface and oif for outgoing interface, right?
In this case I think it's not that easy because the initial incoming VPN connection request is coming though the regular WAN interface and outbound connections from the local VPN server shall still use the upstream VPN tunnel. So it's indeed about inbound connections vs unbound connections. Not sure if ip rules has some syntax for this?
User avatar
trendy
Posts: 292
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN out + OpenVPN in

Post by trendy »

MichaIng wrote: Sun Mar 21, 2021 10:53 am Nice, iif for incoming interface and oif for outgoing interface, right?
Yes!
MichaIng wrote: Sun Mar 21, 2021 10:53 am In this case I think it's not that easy because the initial incoming VPN connection request is coming though the regular WAN interface and outbound connections from the local VPN server shall still use the upstream VPN tunnel. So it's indeed about inbound connections vs unbound connections. Not sure if ip rules has some syntax for this?
It is easy, you can make a rule to bind the source port of the vpn server to the routing table that uses the wan uplink. Instead of iif, use the sport selector.
User avatar
MichaIng
Site Admin
Posts: 2783
Joined: Sat Nov 18, 2017 6:21 pm

Re: VPN out + OpenVPN in

Post by MichaIng »

Ah nice. So all packets from that port will be leaving on eth0, but that is fine since that port is for establishing the VPN connection only anyway, not for communication though the tunnel. That method should work pretty will for e.g. allowing remote connections to a BitTorrent server while it is connected to a VPN. Much easier than connection marks, many thanks for sharing :).
cotarelo
Posts: 22
Joined: Mon May 11, 2020 10:39 pm

Re: VPN out + OpenVPN in

Post by cotarelo »

trendy wrote:
It is easy, you can make a rule to bind the source port of the vpn server to the routing table that uses the wan uplink. Instead of iif, use the sport selector.
Thanks
Could you put an example of the command and where I can make it permanent?
User avatar
trendy
Posts: 292
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN out + OpenVPN in

Post by trendy »

An example would be:

Code: Select all

ip route add to default via 10.10.10.1 table 100
ip rule add sport 1234 to default lookup 100 prio 16010
Change the ip to the one of the isp router and the port to the one you are using for the vpn server.
You can add it in rc.local to be permanent.
cotarelo
Posts: 22
Joined: Mon May 11, 2020 10:39 pm

Re: VPN out + OpenVPN in

Post by cotarelo »

I have added

Code: Select all

ip route add to default via 192.168.31.1 table 100
ip rule add sport 1194 to default lookup 100 prio 16010
ip rule add sport 443 to default lookup 100 prio 16010
ip rule add sport 943 to default lookup 100 prio 16010
Since the OpenVPN uses 443 and 943 TCP and 1194 UDP by default.

But I still have no luck connecting from outside to the internal VPN, it times out
Post Reply