0

I want to route all traffic through another VPN-Node, while:

  • Keep the Connection to the VPN-Server active (already works)
  • Still accepting WAN-Connections on that Client.

My Client Node Configuration:

# 35.1.1.1: WAN IP of VPN-Server
# 192.168.8.1: WAN Gateway of Client
# 10.25.0.1: Internal VPN Server IP (not used below)
# 10.25.0.3: VPN Gatway for the Client (The gatway itself is also an Client)

ip route add 35.1.1.1/32 via 192.168.8.1   # protect route to VPN-Server
ip route del default via 192.168.8.1       # remove original default route
ip route add default via 10.25.0.3         # redirect to another VPN Node

When running these commands, the gateway works - Every traffic from the Client node is routed through the VPN Gateway (10.25.0.3), while keeping the connection to the Server (35.1.1.1/10.25.0.1) intact.

The only problem is, the Client will not accepting connections anymore. I read something about fwmarkand sourced based policy rules but I do not get the point what I really need and what commands I need to enter.

Arakis
  • 321
  • 2
  • 6

1 Answers1

0

To get this working:

  • Disable Reverse Path filtering
  • Add VPN Gateway as pair of 0.0.0.0/1 and 128.0.0.0/1 instead of simply 0.0.0.0/0. See here.
  • Add a custom routing table. See here.

This way doesn't require fwmark or any additional firewall rules.

Here's my working configuration script. I tried to comment as much as possible.

INTERFACE=tun0 # the VPN interface
#REMOTEADDRESS=35.1.1.1 # Real IP of VPN server
REMOTEADDRESS=`dig +short <VPN-Server>` # Enter the hostname of the VPN srever or replace the expression via IP, see above

VPN_GATEWAY=10.25.0.3
#ORIGINAL_GATEWAY="via 192.168.8.1 dev eth0"
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
ORIGINAL_NAMESERVER=`cat /etc/resolv.conf | grep ^nameserver | cut -d ' ' -f 2`

# Disable Reverse Path filtering
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter # ETH device
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter # VPN device

ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY # protect route to VPN-Server
ip route add $ORIGINAL_NAMESERVER $ORIGINAL_GATEWAY # OPTIONAL: protect route to DNS. Required for Google Cloud.
ip route add $VPN_GATEWAY dev $INTERFACE
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE

# Add custom routing table
echo 200 custom >> /etc/iproute2/rt_tables
ip rule add from 192.168.8.100 table custom prio 1 # Real Client IP
ip route del default via 192.168.8.1 # Real Gateway
ip route add default via 192.168.8.1 dev eth0 table custom
Arakis
  • 321
  • 2
  • 6