3
I'm trying to route traffic destined for the public Internet through an OpenVPN network, where the traffic will exit the VPN through another client on the network (that happens to be a VirtualBox VM).
To explain the topology I'll use client A as the traffic originator, and client E as the desired exit/supposed origin point of the traffic. Both clients and the server are Linux machines.
Clients A and E are both connected to an OpenVPN server and have local addresses on a subnet created by the server; let's say 10.8.0.0/16, where the server has 10.8.0.1, and the clients A, E, have ...2, and ...3. The clients can reach each other through the server. The OpenVPN server also has a GRE tunnel to client E that runs on top of the OpenVPN connection.
Currently, the abstract topology/flow looks like this:
(A) ={OpenVPN}=> (OpenVPN Server) ={GRE in OpenVPN}=> (E) -> ...
The issue I'm having is that once the traffic reaches client E it isn't being sent through E's default gateway and into the public Internet.
The relevant configuration of the clients is as follows:
A:
default gateway is the OpenVPN server (10.8.0.1)
OpenVPN server:
ip rule add from 10.8.0.2 lookup node
The routing table 'node' has the routes:
default dev gre5 scope link
10.8.0.0/16 dev tun0 proto static scope link src 10.8.0.1
E:
default gateway is the VirtualBox nat network (through which it has a working Internet connection)
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
The iptables policy for E's filter table is to accept everything.
Using tcpdump I can see the packets from A coming out of E's GRE tunnel interface, but they seem to drop on E. I've been able to verify they're not being forwarded through any of E's interfaces (loopback, the virtual tunnels nor the VBox nat network interface; eth0 above).
Am I missing some extra/special configuration to do with the GRE tunnel, or something related to it? Does this issue relate to the fact that the end point client is a VM?
Optionally, is there a better way to direct traffic meant for foreign networks though an OpenVPN network and out a client?
I'm happy to provide further details if needed.
Routing table of E, as requested by @MariusMatutiae
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth0
10.8.0.0 * 255.255.0.0 U 0 0 0 tun0
10.10.5.0 * 255.255.255.0 U 0 0 0 gre5
192.168.56.0 * 255.255.255.0 U 0 0 0 eth1
Where eth0 is connected to the VBox nat network, eth1 is connected to a host only network that I use to ssh into the VM, tun0 is the OpenVPN interface, and gre5 is the interface to the GRE tunnel.
Pls post the routing table of
E
. – MariusMatutiae – 2016-06-01T07:05:00.937@MariusMatutiae: I've updated the OP as per your request. – ThomasL744 – 2016-06-01T14:28:52.453