Create a bridge between a tunnel and ethernet device
Solution 1
You need to implement policy routing, which means having two routing tables. We shall not touch the main
routing table which is already correctly setup. If you have enabled IPv4 forwarding, it will automatically push the packets from eth1 through your OpenVPN.
First, we need to learn how your OpenVP sets up the routing table. To this, end, start the OpenVPN client from the command line:
sudo openvpn --config YourConfigFile.conf
(or YourConfigFile.ovpn
, whichever you use). The last lines will tell you how it sets up the new routing table, for instance in my case it says:
Tue Jul 14 18:58:07 2015 /sbin/ip route add My.Server.Public.IPaddress/32 via 192.168.105.1
Tue Jul 14 18:58:07 2015 /sbin/ip route add 0.0.0.0/1 via 10.8.73.5
Tue Jul 14 18:58:07 2015 /sbin/ip route add 128.0.0.0/1 via 10.8.73.5
Tue Jul 14 18:58:07 2015 /sbin/ip route add 192.168.73.0/24 via 10.8.73.5
Tue Jul 14 18:58:07 2015 /sbin/ip route add 10.8.73.0/24 via 10.8.73.5
Tue Jul 14 18:58:07 2015 Initialization Sequence Completed
The routes above should be introduced into an executable file, except that some of these numbers are peculiar to this particular instance of the VPN. OpenVPN however provides useful environmental variables which will hold the values of the interfaces used above, and which come in very handy: in this specific case, they are
route_net_gateway -> 192.168.105.1
route_vpn_gateway -> 10.8.73.5
Thus the lines you need to add to a file (let's call it /etc/openvpn/route_up.sh
) are:
/sbin/ip route add Your.OpenVPN.Server.IPAddress/32 via $route_net_gateway table vpn
/sbin/ip route add 0.0.0.0/1 via $route_vpn_gateway table vpn
/sbin/ip route add 128.0.0.0/1 via $route_vpn_gateway table vpn
/sbin/ip route add Remote.LAN.Net/24 via $route_vpn_gateway table vpn
/sbin/ip route add 172.18.2.0/24 via $route_vpn_gateway table vpn
Remember to substitute, in the above, the IP address of your remote server, and of its local LAN if you use it; if you are just using the OpenVPN to obtain an IP of your server, then you do not need the next to the last statement at all. Remember to make the file executable, chmod 700 route_up.sh
.
Also, you will also have to create a new file, /etc/openvpn/route_down.sh
, also executable, which tears down exactly the same routes (just change add
to del
).
Now we need to tell your OpenVPN to avoid implementing the routes, because we will do this manually: in your YourConfigFile.conf, add the following lines:
route-nopull
up /etc/openvpn/route_up.sh
down /etc/openvpn/route_down.sh
Lastly, we need to setup the different routing table for the VPN. Add a new routing table, let's call it vpn
:
echo 200 vpn >> /etc/iproute2/rt_tables
Now we introduce a rule:
ip rule add from 10.0.0.0/24 table vpn
where I assumed that the network behind eth1
is 10.0.0.0/24
, if it is not please change accordingly.
Lastly, you will have to introduce a MASQUERADE iptables rule:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
This is it.
Solution 2
If I understand correctly you are trying to make a dual ethernet VPN passthrough, which the data comes in through eth1
, and eth0
connects to the router (outbound to the Internet).
You can use iptables to redirect your eth1
traffic to tun0
:
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
Related videos on Youtube
De Gao
Software Engineer over 10 yrs. Mainly in Java and Javascript. Also painter(on wall), joinery, and fix everything.
Updated on September 18, 2022Comments
-
De Gao over 1 year
I have a Raspberry pi with Debian wheezy. There are three connections exists:
eth0: native usb ethernet, connected to the router. eth1: plug-in usb ethernet adapter tun0: tunnel created by openconnect vpn client
Now, I want to create a bridge between
eth1
andtun0
, so that all the traffic frometh1
are routed to the VPN. There is no application running on the OS needs the VPN connection.------------------------ | OS Local --> eth0 --|--> router | | | Debian Wheezy | | | --|--> eth1 --> tun0 ----|--> vpn server ------------------------
I did some research and it turns out that
tun0
is a layer 3 device whileeth1
is a layer 2 device. They can't talk to each other directly. The first thing come to my mind is if I can create atun1
frometh1
and connecttun1
andtun0
. But is it possible? How can I do this?Any ideas? Thanks.
UPDATE: Current route table after vpn connected:
default dev tun0 scope link default via 192.168.0.1 dev eth0 metric 202 44.33.22.11 via 192.168.0.1 dev eth0 src 192.168.0.14 172.18.2.0/24 dev tun0 scope link 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.14 metric 202
-
Lennart Rolland over 6 years@MariusMatutiae: I would love clarification on Your.OpenVPN:server.IPAddress and Remote.LAN.Net. the first is "public ip" of server? and what is the other? Thanks!
-
MariusMatutiae over 6 years@LennartRolland 1): Yes. 2): It is the LAN in which the OpenVPN server is immersed, sometimes you want to have access to it. For instance, suppose you have setup an OpenVPN server at home, and you connect to it when you are away. Then you will certainly want to connect to your OpenVPN server and to its LAN (which appears as remote to you, when you are away from home). If instead you are using an OpenVPN server provided by a commercial enterprise, for instance to allow you to bypass geo-restrictions, then you have no interest to contact the LAN in which the server resides.
-
Lennart Rolland over 6 years@MariusMatutiae: Thank you that cleared it up perfectly!