Route outbound connections from local network through VPN

Question

I have a server A running OpenVPN, an OpenVPN client B (a rooted Android phone as it happens) and a third party C (a laptop, tablet etc.) tethered to B.

B can use the VPN to access the internet via A; C can use the tethered connection WITHOUT the VPN to access the internet via B.

However, with the VPN on B active, I cannot load information from the internet on C.

A appears to log similar traffic inbound and outbound when B or C attempt to load a webpage, say, but the VPN on device B reports no inbound traffic when the connection originated from C.

Where should I look for packets being dropped, and what ip rules should I use to make sure they are passed back through the VPN and into the local network B <-> C?

(I'll obviously post whatever further information is needed.)

Further info

Without VPN:

root@android:/ # ip route
default via [B's External Gateway] dev rmnet0
[B's External Subnet] dev rmnet0  proto kernel  scope link  src [B's External IP]
[B's External Gateway] dev rmnet0  scope link
192.168.43.0/24 dev wlan0  proto kernel  scope link  src 192.168.43.1

With VPN:

root@android:/ # ip route
0.0.0.0/1 dev tun0  scope link
default via [B's External Gateway] dev rmnet0
[B's External Subnet] dev rmnet0  proto kernel  scope link  src [B's External IP]
[B's External Gateway] dev rmnet0  scope link
[External address of A] dev tun0  scope link
128.0.0.0/1 dev tun0  scope link
172.16.0.0/24 dev tun0  scope link
172.16.0.8/30 dev tun0  proto kernel  scope link  src 172.16.0.10
192.168.43.0/24 dev wlan0  proto kernel  scope link  src 192.168.43.1
192.168.168.0/24 dev tun0  scope link

Check the routing table with and without VPN connection. OpenVPN probably changes it when you establish the connection. — Ansgar Wiechers, Sep 30 '12 at 13:01
I've provided the results of running `ip route` on B, with and without OpenVPN running there. The reason I'm posting on SF is that I realized I don't fully understand this output and I definitely don't know how to fix it! — not all wrong, Sep 30 '12 at 13:06
Typically on a Linux machine (acting as B) - you would enable `ipv4.forwarding` and provide an associated `MASQUERADE` rule on IPTables to route between C and A. I'm not exactly sure how this is handled on Android, but I'd assume this is the issue. — Ben Lessani, Sep 30 '12 at 14:26
@sonassi - thanks; ipv4.forwarding is definitely enabled (this happens by default when one tethers, and I've checked it). However, ìptables does not show any MASQUERADE commands - I have access to a pretty standard version of iptables on the Android device, so can you give an example of what command to issue? I'm confused about 'who should do what unto whom'. — not all wrong, Sep 30 '12 at 16:08
MASQUERADE isn't a command. It's an IPTables module. Google it. — Magellan, Sep 30 '12 at 18:40

score 0 · Accepted Answer · answered Sep 30 '12 at 19:00

Ah, fixed it by running the following on B (the phone):

iptables -t nat -A POSTROUTING -s 192.168.43.0/255.255.255.0 -o tun0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.43.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable

This pretty much corresponds to the usual basic setup for a VPN server; I was having problems because I got confused about which network was which, which interface was which, and then when I had those right I realized I still had the wrong gateway set on C.

If this is solved, please mark it as solved by clicking the tick mark at the left so that it turns green. — Michael Hampton, Apr 02 '18 at 15:39

Route outbound connections from local network through VPN

1 Answers1