Sharing OpenVPN to specified IP-range on the local LAN

1

1

Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.

Current setup, server with Ubuntu Server distribution:

  • eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables
  • eth1: local LAN (192.168.1.1)
  • tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull

At the momement I'm sharing public ip to a local LAN with iptables:

iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.

Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.

I will manually add name servers on each client on the local LAN.

--AFTER HOURS OF TRYING--

Route table when route-nopull is used with OpenVPN:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         88.115.14.1     0.0.0.0         UG    0      0        0 eth0
88.115.14.0     *               255.255.224.0   U     0      0        0 eth0
localnet        *               255.255.255.0   U     0      0        0 eth1

And this routing is used when OpenVPN add routes:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         46.246.18.101   128.0.0.0       UG    0      0        0 tap0
0.0.0.0         88.115.14.1     0.0.0.0         UG    0      0        0 eth0
46.246.18.100   0.0.0.0         255.255.255.128 U     0      0        0 tap0
80.67.8.213     88.115.14.1     255.255.255.255 UGH   0      0        0 eth0
88.115.14.0     0.0.0.0         255.255.224.0   U     0      0        0 eth0
128.0.0.0       46.246.18.129   128.0.0.0       UG    0      0        0 tap0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

This is what I used for sharing a public ip (WAN) to the local lan:

iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE

This is for trying to share the OpenVPN for the local lan

iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE

Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.

Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?

AnttiQ

Posted 2013-12-16T11:15:06.680

Reputation: 63

Answers

0

Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.

There are a few tricks:

1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.

2) most guides will tell you:

you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN

This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.

Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.

3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.

4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.

This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.

Edit:

on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:

 iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
 iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

MariusMatutiae

Posted 2013-12-16T11:15:06.680

Reputation: 41 321

I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection. – AnttiQ – 2013-12-18T11:24:48.997

@AnttiQ See my edit – MariusMatutiae – 2013-12-18T11:35:07.350

I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table. – AnttiQ – 2013-12-18T11:39:23.507

Asked: 2013-12-16T11:15:06.680

Viewed: 3 761 times

Active: 2020-01-11T06:03:25.420