1
1
Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.
Current setup, server with Ubuntu Server distribution:
- eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables
- eth1: local LAN (192.168.1.1)
- tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull
At the momement I'm sharing public ip to a local LAN with iptables:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.
Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.
I will manually add name servers on each client on the local LAN.
--AFTER HOURS OF TRYING--
Route table when route-nopull is used with OpenVPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
And this routing is used when OpenVPN add routes:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
This is what I used for sharing a public ip (WAN) to the local lan:
iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE
This is for trying to share the OpenVPN for the local lan
iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE
Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.
Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?
I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection. – AnttiQ – 2013-12-18T11:24:48.997
@AnttiQ See my edit – MariusMatutiae – 2013-12-18T11:35:07.350
I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table. – AnttiQ – 2013-12-18T11:39:23.507