AlterX Posted October 9, 2018 Posted October 9, 2018 Ok so the title can confuse more than it really is! So basically I have a armbian distro configured as NAT where wlan0 is the internal interface and eth0 is the "pubic" interface that provides internet (this set is provided out of the box by armbian-config). My devices connect over wlan0 grabbing an IP, say 172.24.1.114 I have added a VPN to a remote network resulting in the creation of ppp0, with IP 10.10.10.12 Having these info, what I want to achieve is: * Only one IP (e.g. 172.24.1.114) has to always go towards ppp0 (that is all traffic back and forth should go to ppp0, so I can either reach machines and navigate on internet with the remote IP) * All other IPs can normally go towards eth0 Starting from the configured NAT from armbian-config I have added the extra iptables rules: -A FORWARD -s 172.24.1.114/32 -i wlan0 -o ppp0 -j ACCEPT (this is before -A FORWARD -i wlan0-o eth0 -j ACCEPT created by armbian-config) -A POSTROUTING -o ppp0 -j MASQUERADE (order shouldn't impact with -A POSTROUTING -o eth0 -j MASQUERADE created by armbian-config) -A FORWARD -i ppp0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT (just to be sure!) These extra rules + the one from armbian-config seem to work all most well: From 172.24.1.114 client I can see content of a remote web server, say http://10.10.10.20 ( so apparently it goes thru ppp0) From 172.24.1.114 client I can navigate on internet, but unfortunately checking the IP I go out with (using a geo ip website), it still results the one from eth0 All other clients correctly navigate going out thru eth0 So to summarize it, I can now reach the remote network over VPN for that IP but it is not able to navigate thru ppp0 Is there someone that can help me with this since I ran out of ideas? Thanks Gio
AlterX Posted October 10, 2018 Author Posted October 10, 2018 Hello there, I finally solved the issue! For sake of information I explain how I solved it: First the required iptables' rules are (these give access to the remote VPN's machines): * -A FORWARD -i wlan0 -o ppp0 -j ACCEPT * -A POSTROUTING -o ppp0 -j MASQUERADE Then to indicate which IP or range of IPs have to have a different route it is required the usage of policy rules: * open /etc/iproute2/rt_tables and put your entry (ID tablename): 100 my_custom_table * ip rule add from 172.24.1.114/32 table my_custom_table (tells to go to another table other than the main one for the source IP 172.x.x.x) * ip route add 172.24.1.0/24 dev wlan0 table my_custom_table (required to receive packets back from ppp0) * ip route add default via 10.10.10.1 dev ppp0 table my_custom_table (routes packet to the VPN's gateway) Make sure Firewall on the VPN server allows incoming traffic from VPN IPs Tha's all!
Recommended Posts