Create a bridge between a tunnel and ethernet device

linux vpn tunnel bridge debian-wheezy

7,503

Solution 1

You need to implement policy routing, which means having two routing tables. We shall not touch the main routing table which is already correctly setup. If you have enabled IPv4 forwarding, it will automatically push the packets from eth1 through your OpenVPN.

First, we need to learn how your OpenVP sets up the routing table. To this, end, start the OpenVPN client from the command line:

    sudo openvpn --config YourConfigFile.conf

(or YourConfigFile.ovpn, whichever you use). The last lines will tell you how it sets up the new routing table, for instance in my case it says:

Tue Jul 14 18:58:07 2015 /sbin/ip route add My.Server.Public.IPaddress/32 via 192.168.105.1

Tue Jul 14 18:58:07 2015 /sbin/ip route add 0.0.0.0/1 via 10.8.73.5

Tue Jul 14 18:58:07 2015 /sbin/ip route add 128.0.0.0/1 via 10.8.73.5

Tue Jul 14 18:58:07 2015 /sbin/ip route add 192.168.73.0/24 via 10.8.73.5

Tue Jul 14 18:58:07 2015 /sbin/ip route add 10.8.73.0/24 via 10.8.73.5

Tue Jul 14 18:58:07 2015 Initialization Sequence Completed

The routes above should be introduced into an executable file, except that some of these numbers are peculiar to this particular instance of the VPN. OpenVPN however provides useful environmental variables which will hold the values of the interfaces used above, and which come in very handy: in this specific case, they are

      route_net_gateway -> 192.168.105.1
      route_vpn_gateway -> 10.8.73.5

Thus the lines you need to add to a file (let's call it /etc/openvpn/route_up.sh) are:

 /sbin/ip route add Your.OpenVPN.Server.IPAddress/32 via $route_net_gateway table vpn
 /sbin/ip route add 0.0.0.0/1 via $route_vpn_gateway table vpn
 /sbin/ip route add 128.0.0.0/1 via $route_vpn_gateway table vpn
 /sbin/ip route add Remote.LAN.Net/24 via $route_vpn_gateway table vpn
 /sbin/ip route add 172.18.2.0/24 via $route_vpn_gateway table vpn

Remember to substitute, in the above, the IP address of your remote server, and of its local LAN if you use it; if you are just using the OpenVPN to obtain an IP of your server, then you do not need the next to the last statement at all. Remember to make the file executable, chmod 700 route_up.sh.

Also, you will also have to create a new file, /etc/openvpn/route_down.sh, also executable, which tears down exactly the same routes (just change add to del).

Now we need to tell your OpenVPN to avoid implementing the routes, because we will do this manually: in your YourConfigFile.conf, add the following lines:

        route-nopull
        up /etc/openvpn/route_up.sh
        down /etc/openvpn/route_down.sh

Lastly, we need to setup the different routing table for the VPN. Add a new routing table, let's call it vpn:

       echo 200 vpn >> /etc/iproute2/rt_tables

Now we introduce a rule:

     ip rule add from 10.0.0.0/24 table vpn

where I assumed that the network behind eth1 is 10.0.0.0/24, if it is not please change accordingly.

Lastly, you will have to introduce a MASQUERADE iptables rule:

      iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

This is it.

Solution 2

If I understand correctly you are trying to make a dual ethernet VPN passthrough, which the data comes in through eth1, and eth0 connects to the router (outbound to the Internet).

You can use iptables to redirect your eth1 traffic to tun0:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT

7,503

De Gao

Software Engineer over 10 yrs. Mainly in Java and Javascript. Also painter(on wall), joinery, and fix everything.

Updated on September 18, 2022

Comments

De Gao over 1 year

I have a Raspberry pi with Debian wheezy. There are three connections exists:

eth0: native usb ethernet, connected to the router.
eth1: plug-in usb ethernet adapter
tun0: tunnel created by openconnect vpn client

Now, I want to create a bridge between eth1 and tun0, so that all the traffic from eth1 are routed to the VPN. There is no application running on the OS needs the VPN connection.

  ------------------------
  |  OS Local --> eth0 --|--> router
  |                      |
  |   Debian Wheezy      |
  |                      |
--|--> eth1 --> tun0 ----|--> vpn server
  ------------------------

I did some research and it turns out that tun0 is a layer 3 device while eth1 is a layer 2 device. They can't talk to each other directly. The first thing come to my mind is if I can create a tun1 from eth1 and connect tun1 and tun0. But is it possible? How can I do this?

Any ideas? Thanks.

UPDATE: Current route table after vpn connected:

default dev tun0  scope link 
default via 192.168.0.1 dev eth0  metric 202 
44.33.22.11 via 192.168.0.1 dev eth0  src 192.168.0.14 
172.18.2.0/24 dev tun0  scope link 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.14  metric 202

Lennart Rolland over 6 years

@MariusMatutiae: I would love clarification on Your.OpenVPN:server.IPAddress and Remote.LAN.Net. the first is "public ip" of server? and what is the other? Thanks!
MariusMatutiae over 6 years

@LennartRolland 1): Yes. 2): It is the LAN in which the OpenVPN server is immersed, sometimes you want to have access to it. For instance, suppose you have setup an OpenVPN server at home, and you connect to it when you are away. Then you will certainly want to connect to your OpenVPN server and to its LAN (which appears as remote to you, when you are away from home). If instead you are using an OpenVPN server provided by a commercial enterprise, for instance to allow you to bypass geo-restrictions, then you have no interest to contact the LAN in which the server resides.
Lennart Rolland over 6 years

@MariusMatutiae: Thank you that cleared it up perfectly!