Routing Debian with VPN
by CrazyDavy from LinuxQuestions.org on (#4X0DG)
I have a Debian Stretch based router that uses routing tables and fwmarks/ip-rules to direct inet traffic. Up until yesterday the only allowed access to the wan port were the Isp router/dhcp and Vpn node connections. My video streaming device has its own Vpn tunnel. Everything worked just fine for several months, I then decided to try and get Amazon Prime through the router as well. To do this I created an ipset of the few Amazon servers which require wan connections. This set was added in the mangle table prerouting chain used for controlling inet traffic. Now Amazon Prime works fine, but the web-browser on the router hangs whenever I try to purchase something and the Amazon store ip is in the ipset. I must have a deficiency in the routing rules/tables. I've struggled with this for a while and I just don't understand why the traffic on the routers web-browser is trying to use this path. Any help would be appreciated.
The prerouting chain in the mangle table is as follows;
Code:# Set mark for wan port table
-N ANDROID_WAN
-A ANDROID_WAN -j MARK --set-mark 0x0001/0x000F
-A ANDROID_WAN -j CONNMARK --save-mark
# Set mark for streamers own tunnel tungw3
-N ANDROID_VPNTUN
-A ANDROID_VPNTUN -j MARK --set-mark 0x000C/0x000F
-A ANDROID_VPNTUN -j CONNMARK --save-mark
-N OUT_IFACE
-A PREROUTING -i br0 -j OUT_IFACE
# Is destination local network, return
-A OUT_IFACE -d 192.168.252.192/26 -j RETURN
-A OUT_IFACE -d 127.0.0.0/8 -j RETURN
-A OUT_IFACE -d 224.0.0.0/8 -j RETURN
-A OUT_IFACE -d 239.0.0.0/8 -j RETURN
-A OUT_IFACE -d 255.255.255.255 -j RETURN
# Only clients with Inet access
-A OUT_IFACE --match set ! --match-set LanIpClientInetAllow src -j RETURN
-A OUT_IFACE -j CONNMARK --restore-mark
# Only mark packets not already marked for wan or a vpn tunnel
-A OUT_IFACE --match mark ! --mark 0x0000/0x000F -j RETURN
# Tv Box through tungw3 or wan0 !!!! Added rule/set for Amazon !!!!
-A OUT_IFACE -s 192.168.252.205 --match set --match-set WanIpPortAllowed dst,dst -g ANDROID_WAN
-A OUT_IFACE -s 192.168.252.205 -g ANDROID_VPNTUN
# Other Inet through random tunnel
-A OUT_IFACE --match statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 0x000A/0x000F
-A OUT_IFACE --match statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 0x000B/0x000F
-A OUT_IFACE -j CONNMARK --save-mark
# Test to see if problem could be fixed
-N LO_VPNTUN
# Route router 'gate' through router's tunnel tungw0
-A OUTPUT -s gate -g LO_VPNTUN
# Current VPN server for tungw0
-A OUTPUT -s 10.8.8.4 -g LO_VPNTUN
# Is destination local network, return
-A LO_VPNTUN -d 192.168.252.192/26 -j RETURN
-A LO_VPNTUN -d 127.0.0.0/8 -j RETURN
-A LO_VPNTUN -d 224.0.0.0/8 -j RETURN
-A LO_VPNTUN -d 239.0.0.0/8 -j RETURN
-A LO_VPNTUN -d 255.255.255.255 -j RETURN
# Hopefully only inet addresses by now.
-A LO_VPNTUN -j CONNMARK --restore-mark
# Only mark packets not already marked for wan or a vpn tunnel
-A LO_VPNTUN --match mark ! --mark 0x0000/0x000F -j RETURN
-A LO_VPNTUN -j MARK --set-mark 0x0009/0x000F
-A LO_VPNTUN -j CONNMARK --save-markThe rule set
Code:0: from all lookup local
800: from all to 104.246.154.129 lookup wan0 # Isp
801: from all to 174.4.224.1 lookup wan0 # Isp
900: from all to 172.83.40.194 lookup wan0 # tungw0 node connect
903: from all to 176.113.74.253 lookup wan0 # tungw3 node connect
1000: from all fwmark 0x9/0xf lookup tungw0 # New!, added for browser problem
1001: from all fwmark 0x1/0xf lookup wan0 # Amazon Prime servers
1101: from all fwmark 0xa/0xf lookup tungw1
1102: from all fwmark 0xb/0xf lookup tungw2
1103: from all fwmark 0xc/0xf lookup tungw3 # Streamer tunnel
1104: from all fwmark 0xd/0xf lookup tungw4
32765: from all lookup main
32766: from all lookup tungw0 # Default path
32767: from all lookup defaultTable wan0
Code:default via 104.246.154.129 dev wan0
104.246.154.128/25 dev wan0 scope link src 104.246.154.155Table tungw0
Code:default via 10.8.8.1 dev tungw0
10.8.8.0/24 dev tungw0 scope link src 10.8.8.4Table tungw3
Code:default via 10.8.8.1 dev tungw3
10.8.8.0/24 dev tungw3 scope link src 10.8.8.3When the web-browser on the router hangs I can see the VPN server for tungw0 (10.8.8.4) trying to use the wan0 device port via wireshark. Why?? This didn't happen before I added rules 1000/1001 and the jump for set WanIpPortAllowed in the mangle table chain (plus fix-it chain in mangle).
Thanks
The prerouting chain in the mangle table is as follows;
Code:# Set mark for wan port table
-N ANDROID_WAN
-A ANDROID_WAN -j MARK --set-mark 0x0001/0x000F
-A ANDROID_WAN -j CONNMARK --save-mark
# Set mark for streamers own tunnel tungw3
-N ANDROID_VPNTUN
-A ANDROID_VPNTUN -j MARK --set-mark 0x000C/0x000F
-A ANDROID_VPNTUN -j CONNMARK --save-mark
-N OUT_IFACE
-A PREROUTING -i br0 -j OUT_IFACE
# Is destination local network, return
-A OUT_IFACE -d 192.168.252.192/26 -j RETURN
-A OUT_IFACE -d 127.0.0.0/8 -j RETURN
-A OUT_IFACE -d 224.0.0.0/8 -j RETURN
-A OUT_IFACE -d 239.0.0.0/8 -j RETURN
-A OUT_IFACE -d 255.255.255.255 -j RETURN
# Only clients with Inet access
-A OUT_IFACE --match set ! --match-set LanIpClientInetAllow src -j RETURN
-A OUT_IFACE -j CONNMARK --restore-mark
# Only mark packets not already marked for wan or a vpn tunnel
-A OUT_IFACE --match mark ! --mark 0x0000/0x000F -j RETURN
# Tv Box through tungw3 or wan0 !!!! Added rule/set for Amazon !!!!
-A OUT_IFACE -s 192.168.252.205 --match set --match-set WanIpPortAllowed dst,dst -g ANDROID_WAN
-A OUT_IFACE -s 192.168.252.205 -g ANDROID_VPNTUN
# Other Inet through random tunnel
-A OUT_IFACE --match statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 0x000A/0x000F
-A OUT_IFACE --match statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 0x000B/0x000F
-A OUT_IFACE -j CONNMARK --save-mark
# Test to see if problem could be fixed
-N LO_VPNTUN
# Route router 'gate' through router's tunnel tungw0
-A OUTPUT -s gate -g LO_VPNTUN
# Current VPN server for tungw0
-A OUTPUT -s 10.8.8.4 -g LO_VPNTUN
# Is destination local network, return
-A LO_VPNTUN -d 192.168.252.192/26 -j RETURN
-A LO_VPNTUN -d 127.0.0.0/8 -j RETURN
-A LO_VPNTUN -d 224.0.0.0/8 -j RETURN
-A LO_VPNTUN -d 239.0.0.0/8 -j RETURN
-A LO_VPNTUN -d 255.255.255.255 -j RETURN
# Hopefully only inet addresses by now.
-A LO_VPNTUN -j CONNMARK --restore-mark
# Only mark packets not already marked for wan or a vpn tunnel
-A LO_VPNTUN --match mark ! --mark 0x0000/0x000F -j RETURN
-A LO_VPNTUN -j MARK --set-mark 0x0009/0x000F
-A LO_VPNTUN -j CONNMARK --save-markThe rule set
Code:0: from all lookup local
800: from all to 104.246.154.129 lookup wan0 # Isp
801: from all to 174.4.224.1 lookup wan0 # Isp
900: from all to 172.83.40.194 lookup wan0 # tungw0 node connect
903: from all to 176.113.74.253 lookup wan0 # tungw3 node connect
1000: from all fwmark 0x9/0xf lookup tungw0 # New!, added for browser problem
1001: from all fwmark 0x1/0xf lookup wan0 # Amazon Prime servers
1101: from all fwmark 0xa/0xf lookup tungw1
1102: from all fwmark 0xb/0xf lookup tungw2
1103: from all fwmark 0xc/0xf lookup tungw3 # Streamer tunnel
1104: from all fwmark 0xd/0xf lookup tungw4
32765: from all lookup main
32766: from all lookup tungw0 # Default path
32767: from all lookup defaultTable wan0
Code:default via 104.246.154.129 dev wan0
104.246.154.128/25 dev wan0 scope link src 104.246.154.155Table tungw0
Code:default via 10.8.8.1 dev tungw0
10.8.8.0/24 dev tungw0 scope link src 10.8.8.4Table tungw3
Code:default via 10.8.8.1 dev tungw3
10.8.8.0/24 dev tungw3 scope link src 10.8.8.3When the web-browser on the router hangs I can see the VPN server for tungw0 (10.8.8.4) trying to use the wan0 device port via wireshark. Why?? This didn't happen before I added rules 1000/1001 and the jump for set WanIpPortAllowed in the mangle table chain (plus fix-it chain in mangle).
Thanks