3
1
I'm trying to setup my own little access point and I've got two core elements of it working.
Does anyone know of any way I can connect the two elements together?
Joe Simpson
Posted 2013-09-28T19:11:09.987
Reputation: 115
2
First you need to enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Then presuming that your VPN assigns a static IP you'll need SNAT:
iptables -t nat -A POSTROUTING -o <TUNNEL INTERFACE> -j SNAT --to-source <VPN IP>
replacing and as appropriate ofc. If your VPN gives you a dynamic IP, you'll need to use MASQUERADE instead:
iptables -t nat -A POSTROUTING -o <TUNNEL INTERFACE> -j MASQUERADE
Then check that your routing table is correct with:
route -n
check that you have a line similar to this:
0.0.0.0 <VPN ENDPOINT IP> 0.0.0.0 UG 2 0 0 <VPN INTERFACE>
if it's missing, add it:
route add default gw <VPN ENDPOINT IP> dev <VPN INTERFACE>
Each distro has it's own methods of making these changes permenant/persistant, so I'd need more info to help in that regards.
Nanzikambe
Posted 2013-09-28T19:11:09.987
Reputation: 627
0
After having installed pptpd and struggling to have my VPN connection forward any traffic when connected. I used the iptables rules from below and it worked perfectly! I didn't need LAN access in neither way so I didn't use those but the VPN Client <-> World helped a lot.
I'm sharing the rules here if someone wants them.
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i ppp* -o eth0 \
-s 10.0.0.0/24 -d 192.168.0.0/24 \
-m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i ppp* -o eth1 \
-s 10.0.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
iptables -I FORWARD -i eth0 -o eth1 \
-s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
# Notice that -I is used, so when listing it (iptables -vxnL) it
# will be reversed. This is intentional in this demonstration.
# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o eth1 \
-s 10.0.0.0/24 -j MASQUERADE
# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o eth1 \
-s 192.168.0.0/24 -j MASQUERADE
Of course, I assume you have already done
echo 1 > /proc/sys/net/ipv4/ip_forward
logicbloke
Posted 2013-09-28T19:11:09.987
Reputation: 1
I am using a debian on a raspberry Pi.
I'm able to send packets as running tcpdump on ppp0 shows:
12:03:48.687991 IP rras-10-34-9-1.ncl.ac.uk.38988 > google-public-dns-b.google.com.domain: 10290+ A? accounts.google.com. (37) – Joe Simpson – 2013-10-03T12:05:19.690
Oh wait, I can access Google via ip address over the network now, but dns isn't working at all – Joe Simpson – 2013-10-03T12:26:35.797
You'll need to be more specific, DNS isn't working from where? What's the content of the pi's /etc/resolv.conf? the clients's /etc/resolv.conf? what's the pi's routing table? is /proc/sys/net/ipv4/ip_forward set to 1, etc etc – Nanzikambe – 2013-10-03T15:45:03.633
Yeah. I can access Google direct via ip address and dns works fine from the pi itself. Dns simply isn't working from a computer on the network – Joe Simpson – 2013-10-03T15:46:12.967
After doing a random test on changing DNS servers, it seemed by Uni VPN blocked any DNS that wasn't going to their DNS servers. Thanks anyway :) – Joe Simpson – 2013-10-04T19:32:42.337