Route whole traffic incomming on second Ethernetadapter through OpenVPN TUN-connection

At home I'm running a little PC (Debian Jessie) as a NAS and some kind of a monitoring device. This PC got two bridged Ethernet ports. One is connected to a switch (eth1) where all other devices are plugged in and the other one is connected with my router (eth0).

On most of my devices there is some OpenVPN client running.
Now I'm trying to establish the VPN-connection directly on my NAS-PC, so there is no need to configure every device for it's own.
But the problem is I can't establish a TAP-connection to the VPN-server, only TUN-connections. (If the server would accept TAP, I could try to bridge eth1 with tap0)

Is there any other possibility, besides bridging (only possible with TAP), to direct the whole traffic of eth1 via the VPN-connection (TUN)?

thanks

Lorenz

Posted 2015-11-17T14:41:33.800

Reputation: 11

it sounds like you are trying to make your Debian Jesse PC a router for all the devices on your network .. but instead of simply passing packets to the upstream router you want to send all packets to a VPN server ? – dotvotdot – 2015-11-24T12:54:56.237

Answers

But the problem is I can't establish a TAP-connection to the VPN-server, only TUN-connections.

You cannot mix TUN and TAP Mode .. They are mutually Exclusive. If you run TUN on your server you must run TUN on your client and likewise with TAP

I cannot make this any clearer .. You must run the same device on both ends .. Full stop

dotvotdot

Posted 2015-11-17T14:41:33.800

Reputation: 496

I know. My problem is the server only accepts TUN. Is there any other chance to route the traffic, incoming on eth1, through the VPN-connection. Till now I bridged eth0 and eth1, so I could monitor the passing traffic. The monitoring isn't that important, when I'm able to use the VPN-connection. – Lorenz – 2015-11-21T15:04:18.903

The keyword is routing. (thanks to @dotvotdot)

I achieved my goal by running a OpenVPN client and a DHCP server on my NAS. Also I set the IP of eth1 to static.

My current routing rules: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "Use VPN IP for eth0" iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Use VPN IP for tun0" iptables -A FORWARD -s 192.168.101.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j REJECT -m comment --comment "Block traffic from clients to eth0" iptables -A FORWARD -s 192.168.101.0/24 -i eth1 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic from clients to tun0"

source: http://blog.frd.mn/raspberry-pi-vpn-gateway/

Lorenz

Posted 2015-11-17T14:41:33.800

Reputation: 11