Combination of NAT, DHCP, and OpenVPN on lubuntu 14.04

2

Okay, so I've got a set up, where eth0 my internal IP address (192.168.1.3) it has been configured as my default gateway using the iptables this

sudo sysctl -w net.ipv4.ip_forward=1

sudo iptables -P FORWARD ACCEPT

sudo iptables –-table nat -A POSTROUTING -o eth2 -j MASQUERADE

Where eth2 is my static ip for internet

That works fine, I can access internet from any computer on my network via DHCP (192.168.1.10-200)

Everything stops working when I run openvpn

Here's my config file http://pastebin.ubuntu.com/7556511/

That config works without the NAT, as in on the computer I can browse the web, and if I do

curl ifconfig.me

it gives me a remote ip address from my VPN provider.

When I say fails on other computers, I mean I can't load pages, I can't ping, nothing works outside of the network (But I can still SSH in on the internal interface

HilarieAK

Posted 2014-05-31T05:58:43.443

Reputation: 685

troubleshoothing this with someone on IRC the output of > cat /proc/sys/net/ipv4/ip_forward is 1 – HilarieAK – 2014-05-31T06:22:49.457

Answers

2

The error is in your iptables, the command: 

  iptables –-table nat -A POSTROUTING -o eth2 -j MASQUERADE

should be modified to

 iptables –-table nat -A POSTROUTING -o tun0 -j MASQUERADE

If your interface is not called tun0, please change accordingly (BTW, the very same applies if you have a tap interface, just use tap0 in tun0 stead).

In OpenVPN, all traffic exits your pc through the bridge, not the ethernet interface. You cannot however apply iptables to a bridge (that requires ebtables), but you can circumvent the problem by applying iptables to the virtual interface.

MariusMatutiae

Posted 2014-05-31T05:58:43.443

Reputation: 41 321

Does this change have the added benifit that the internet will go down if the vpn link fails? – HilarieAK – 2014-05-31T07:45:29.083

1@HilarieAK If you call it an added benefit, then yes, it does. When you are off the OpenVPN, you must re-issue the original iptables command. You may want to find a way to script it. – MariusMatutiae – 2014-05-31T07:50:22.427

For the person who finds this post 5 years from now, could you update your answer to go -o tun[X] some how I managed to type it in write before doing the /etc/rc.local thing, actually on it, and spent the last half an hour messing with that. – HilarieAK – 2014-05-31T08:25:56.977

1@HilarieAK I just modified my answer as per your suggestion. – MariusMatutiae – 2014-05-31T08:36:04.920

@MariusMatutae the people of the future thank you! I'd up-vote you but I don't have 15 rep yet. – HilarieAK – 2014-05-31T08:40:33.323

1@HilarieAK Now you do, lol. – MariusMatutiae – 2014-05-31T09:50:59.067

Asked: 2014-05-31T05:58:43.443

Viewed: 1 020 times

Active: 2014-05-31T08:35:04.770