11

I've used the following guide to set up my raspberry pi as an access point:

Raspberry Pi 3 as wifi access point

I'm forwarding wlan0 to eth0 and NATing all my traffic. Works great!

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Now I want to set up the same rules except use interface tun0-00 and forward all my traffic through my vpn tunnel. I do want to send all of it, don't want anything leaking out into the host network. Thinkin it goes something like this:

sudo iptables -t nat -A POSTROUTING -o tun0-00 -j MASQUERADE
sudo iptables -A FORWARD -i tun0-00 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0-00 -j ACCEPT

Unfortunately I know that these iptables rules aren't complete... The trouble is that eth0 stays up; the original rule to forward traffic to eth0 still exists.

I want to send all my traffic through the tunnel if the tunnel is open; if not, I'm good with it using eth0.

Update:

Used the -I flag to insert my rules:

sudo iptables -t nat -I POSTROUTING 1 -o tun0-00 -j MASQUERADE
sudo iptables -I FORWARD 1 -i tun0-00 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD 1 -i wlan0 -o tun0-00 -j ACCEPT

The FORWARD chain:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  wlan0  tun0-00  0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  tun0-00 wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        0     0 ACCEPT     all  --  eth0   wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4        0     0 ACCEPT     all  --  wlan0  eth0    0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     all  --  wlan1  wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
6        0     0 ACCEPT     all  --  wlan0  wlan1   0.0.0.0/0            0.0.0.0/0

Still no joy, the forwarding doesn't seem to work.

Client VPN Config

I've scrubbed out things that looked sensitive:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote XXX.XXX.XXX.XXX PORT_NUM udp
lport XXX
verify-x509-name "VPN_Certificate" name
pkcs12 CERT_NAME.p12
tls-auth CERTIFICATE-tls.key 1
ns-cert-type server
redirect-gateway local def1

The pi connects just fine and reflects a different public IP. The clients still show the pi as their gateway but they can't connect anymore.

Solution

First I needed to add redirect-gateway def1 into the .ovpn file on the pi.

Then I needed to actually type my interface name in correctly... Ugh. I feel like a crazy person, but apparently I saw tun0-00 in the beginning and that was the only time it existed. The interface is actually just tun0.

So the appropriate iptables commands were:

sudo iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
sudo iptables -I FORWARD 1 -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD 1 -i wlan0 -o tun0 -j ACCEPT

Works great now!

Shrout1
  • 431
  • 1
  • 6
  • 13

2 Answers2

22

You will need both sets of rules within iptables. The two rulesets ensure that traffic leaving by the specified interfaces is appropriately masqueraded. Here is my suggestion, which is a little simpler than yours:

# Masquerade outgoing traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# Allow return traffic
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forward everything
iptables -A FORWARD -j ACCEPT

The part of the puzzle that's missing is the routing. If the tunnel is up you want "all" outgoing traffic to use it. Otherwise use the normal route.

This is handled within OpenVPN using the redirect-gateway def1 parameter in your client configuration.

Shrout1
  • 431
  • 1
  • 6
  • 13
roaima
  • 107,089
  • 14
  • 139
  • 261
  • I'll see if that's my issue! Thanks a lot! – Shrout1 May 18 '16 at 00:34
  • Looks great, tried it on ubuntu 16.04 without success. It is working to ping some ip, but can't git clone same IP. Is it possible Ubuntu 16.04 has a different implementation of iptables for forwarding ? Thanks for any help ! – cyberjoac Aug 23 '18 at 15:22
  • 1
    @cyberjoac no it's not possible. You'll have something else configured somewhere. Look at `iptables -nvL` and `iptables -t NAT -nvL` – roaima Sep 03 '20 at 18:49
4

The handy tool is to list existing rules with line-numbers:

iptables --line-numbers -t filter -L FORWARD

You could delete the rules with -D option:

iptables -t filter -D FORWARD 1

You could insert a new rule at specified location with -I option:

iptables -t filter -I FORWARD 0 blah-blah-blah

this would insert a new rule at the very beginning of a table, so it will be consulted in a first turn.

Edit:

Generally, you need only one rule in the FORWARD table that match -m state --state RELATED,ESTABLISHED: 

-I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

as connection tracking would allow all already known connections to be routed.

And yes, you need to set up policy routing to forward your wlan traffic not to default gateway that is most likely reachable through your ethernet interface but trough vpn interface.

Serge
  • 8,371
  • 2
  • 23
  • 28
  • Check my update, don't know what I'm missing... Perhaps it's routing? Not sure why that would be needed when it worked between the interfaces before. – Shrout1 May 18 '16 at 14:20
  • see the edit. we need to set up routing properly because routing decisions are taken not by `iptables` – Serge May 18 '16 at 15:52
  • Ok tried both `redirect-gateway def1` and `redirect-gateway autolocal` in my .ovpn file... No joy. Not sure what I'm doing wrong! Again, the pi itself connects through the tunnel just fine, but not the clients. – Shrout1 May 19 '16 at 18:01
  • did you read the article I pointed? – Serge May 19 '16 at 19:02
  • I did sneek a peek and perhaps I am still too unskilled to understand what I need to do. I'm afraid that if I set a static route to the tunnel that my traffic won't pass through when the tunnel is down. – Shrout1 May 19 '16 at 20:11
  • The static routes these gateways become unreachable upon an interface disconnection are automatically removed. Also, you would need to add a static route in a if-up script of that vpn connection. how exactly did you configure a vpn (post all relevant config files in the question masking public ips and keys) – Serge May 19 '16 at 22:48