Route internet traffic from openvpn tun0 to eth0
You also need to set up a policy routing table that tells Linux to use the default gateway behind eth0 for VPN users.
So, you would create a new routing table for packets where source IP address is in 192.168.200.0/24, and make the default gateway for that routing table the default gateway behind eth0.
Related videos on Youtube
02 : 16
03 : 33
02 : 35
29 : 08
15 : 18
Gunnar
Updated on September 18, 2022Comments
-
Gunnar over 1 year
I can't figure it out.
How do I give chosen VPN-users access to internet trough eth0? All server traffic goes trough eth1.
The eth0 is only supposed to give VPN-users internet access on chosen ports and nothing else.
The users connect trough eth1 and get assigned an IP in tun0 with individual configs, this is one of the users ccd:ifconfig-push 192.168.200.5 192.168.200.6
push "redirect-gateway def1"the user config
client
dev tun
proto udp
remote 192.168.0.55 1194
resolv-retry infinite
persist-key persist-tun
ca ca.crt cert client.crt key client.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
Server config:
local 192.168.0.55
port 1194
proto udp
dev tun
ca ca.crt cert server.crt key server.key
dh1024.pem
server 192.168.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
tls-auth ta.key 0
comp-lzo
max-clients 10
persist-key persist-tun
My current IP table rules:
#Flush all
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X#Allow all
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT#Allow loopback
iptables -A INPUT -i lo -j ACCEPT#Block all incoming on eth0 and allow established connections
iptables -A INPUT -i eth0 -j DROP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPTForwardning turned on:
sysctl net.ipv4.ip_forward=1
After hours on google (https://community.openvpn.net/openvpn/wiki/BridgingAndRouting) I thought this was the correct way but it doesn't work:# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o eth0 \ -s 192.168.200.0/24 -m conntrack --ctstate NEW -j ACCEPT# Allow established traffic to pass back and forth iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT# Masquerade traffic from VPN to "the world" -- done in the nat table iptables -t nat -I POSTROUTING -o eth0 \ -s 192.168.200.0/24 -j MASQUERADEHelp is appreciated :)
Network map http://s27.postimg.org/7do7o8ob7/network_map.gif