Routing traffic on ethernet switch through VPN (Ubuntu 20.04)
by __mib137__ from LinuxQuestions.org on (#5KKBF)
Hey,
I'm trying to connect a device connected to my local router through a VPN. My setup is as follows:
Code: Router Ethernet Switch <----> myDevice
^ ^
| |
| |
v | (USB ethernet adapter)
(iface: eth0) | (iface: eth1)
Ubuntu PC <-----------+I also have a VPN tunnel open on the PC using OpenConnect (iface: `tun0`).
Now I want traffic to/from `myDevice` to use the VPN tunnel. I tried to configure a second routing table that will route `eth1` traffic through `tun0` but the forwarding through `tun0` doesn't seem to work. The device still receives traffic through my regular LAN. I'm currently trying to mark all traffic through `eth1` and configure all marked traffic to use the second routing table that has one default route through the VPN. Is there a simpler way to accomplish this? Is there anything obviously wrong with my setup? What I don't understand is why no traffic matches the FORWARD iptables rules.
For reference, this post describes pretty much the same desired setup, but there are no accepted answers on that one.
Here's my configuration:
ip link:
Code:eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.155 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::1966:3ccc:400d:9bef prefixlen 64 scopeid 0x20<link>
ether a4:bb:6d:e1:c0:dd txqueuelen 1000 (Ethernet)
RX packets 169051 bytes 212717924 (212.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 43449 bytes 8514447 (8.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0x92f00000-92f20000
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.246.1 netmask 255.255.255.0 broadcast 192.168.246.255
ether 70:88:6b:89:3c:bf txqueuelen 1000 (Ethernet)
RX packets 326 bytes 187776 (187.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 235 bytes 41389 (41.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1390
...sudo iptables -L -n -v:
Code:Chain INPUT (policy ACCEPT 26559 packets, 24M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 16263 packets, 2949K bytes)
pkts bytes target prot opt in out source destinationsudo iptables -L -n -v -t nat:
Code:Chain PREROUTING (policy ACCEPT 29 packets, 9835 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 29 packets, 9835 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1096 packets, 263K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1096 packets, 263K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * tun0 192.168.246.0/24 0.0.0.0/0sudo iptables -L -n -v -t mangle:
Code:Chain PREROUTING (policy ACCEPT 26564 packets, 24M bytes)
pkts bytes target prot opt in out source destination
100 22840 MARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x2
Chain INPUT (policy ACCEPT 26560 packets, 24M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16263 packets, 2949K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 16293 packets, 2950K bytes)
pkts bytes target prot opt in out source destinationip route show:
Code:default via 192.168.1.1 dev eth0 proto dhcp metric 101
169.254.0.0/16 dev eth0 scope link metric 1000
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.155 metric 101
192.168.246.0/24 dev eth1 proto kernel scope link src 192.168.246.229 metric 102second routing table:
Code:default dev tun0 scope linkNote: this is a x-post from ServerFault so if that's against forum rules I'm happy to delete this or that post.
I'm trying to connect a device connected to my local router through a VPN. My setup is as follows:
Code: Router Ethernet Switch <----> myDevice
^ ^
| |
| |
v | (USB ethernet adapter)
(iface: eth0) | (iface: eth1)
Ubuntu PC <-----------+I also have a VPN tunnel open on the PC using OpenConnect (iface: `tun0`).
Now I want traffic to/from `myDevice` to use the VPN tunnel. I tried to configure a second routing table that will route `eth1` traffic through `tun0` but the forwarding through `tun0` doesn't seem to work. The device still receives traffic through my regular LAN. I'm currently trying to mark all traffic through `eth1` and configure all marked traffic to use the second routing table that has one default route through the VPN. Is there a simpler way to accomplish this? Is there anything obviously wrong with my setup? What I don't understand is why no traffic matches the FORWARD iptables rules.
For reference, this post describes pretty much the same desired setup, but there are no accepted answers on that one.
Here's my configuration:
ip link:
Code:eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.155 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::1966:3ccc:400d:9bef prefixlen 64 scopeid 0x20<link>
ether a4:bb:6d:e1:c0:dd txqueuelen 1000 (Ethernet)
RX packets 169051 bytes 212717924 (212.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 43449 bytes 8514447 (8.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0x92f00000-92f20000
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.246.1 netmask 255.255.255.0 broadcast 192.168.246.255
ether 70:88:6b:89:3c:bf txqueuelen 1000 (Ethernet)
RX packets 326 bytes 187776 (187.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 235 bytes 41389 (41.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1390
...sudo iptables -L -n -v:
Code:Chain INPUT (policy ACCEPT 26559 packets, 24M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 16263 packets, 2949K bytes)
pkts bytes target prot opt in out source destinationsudo iptables -L -n -v -t nat:
Code:Chain PREROUTING (policy ACCEPT 29 packets, 9835 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 29 packets, 9835 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1096 packets, 263K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1096 packets, 263K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * tun0 192.168.246.0/24 0.0.0.0/0sudo iptables -L -n -v -t mangle:
Code:Chain PREROUTING (policy ACCEPT 26564 packets, 24M bytes)
pkts bytes target prot opt in out source destination
100 22840 MARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x2
Chain INPUT (policy ACCEPT 26560 packets, 24M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16263 packets, 2949K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 16293 packets, 2950K bytes)
pkts bytes target prot opt in out source destinationip route show:
Code:default via 192.168.1.1 dev eth0 proto dhcp metric 101
169.254.0.0/16 dev eth0 scope link metric 1000
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.155 metric 101
192.168.246.0/24 dev eth1 proto kernel scope link src 192.168.246.229 metric 102second routing table:
Code:default dev tun0 scope linkNote: this is a x-post from ServerFault so if that's against forum rules I'm happy to delete this or that post.