Share a VPN connection over WiFi

ubuntu networking networkmanager vpn connection-sharing

6,729

Routing

On host A you need to route all traffic for the destination network to host B. I will assume this is something like 192.168.0.0/24

for linux (on host A):

ip r a 192.168.0.0/24 via 10.9.8.3 dev eth0

for windows (on host A):

route ADD 192.168.0.0 MASK 255.255.255.0 10.9.8.3

Forwarding

After routing is in place, all packages for the network 192.168.0.0/24 will be send to host B.

To allow packages to be forwarded from wlp3s0 to tun0 on host B, you need to enable IP forwarding.

To temporary enable IP forwarding for all interfaces:

sysctl net.ipv4.conf.all.forwarding=1

To enable this change permanently, add new line to /etc/sysctl.conf:

net.ipv4.conf.all.forwarding = 1

Additionally to interface settings, iptables could be active and need to allow package forwarding.

To check if iptables is active (at least for the FORWARD chain):

iptables -L FORWARD -nv

If the chain has no rules and the policy says ACCEPT, you are good to go, if not, you need to add relevant rules to allow forwarding for 192.168.0.0/24.

Allow forwarding all packages to 192.168.0.0/24 on wlp3s0:

iptables -I FORWARD -i wlp3s0 -d 192.168.0.0/24 -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

the RELATED,ESTABLISHED automatically allows the return packages.

NAT

Now, after forwarding is set up, packages will be send into the tunnel. But as far as the remote network behind the VPN does not know our local network, which is normally the case, we need to NAT all packages which come from our local network and will go into the VPN to the address, we got from the VPN-Server (which is the IP on the tun0).

To do this, you need to create a MASQUERADE rule in the POSTROUTING table:

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

This will nat all outgoing packages on tun0 to the interface`s IP.

6,729

Frank Kair

Looking for full-time remote job as a senior EmberJS dev, preferably with relocation perspectives. Personality At work I'm a passionate developer; strong supporter of best practices and patterns; serious about code readability, maintainability and scalability; believe in testing. On the scale from quick-n-dirty to slow-but-thorough, I lean toward the latter. Off duty, I'm a loving husband and father, an avid debater, a board game geek, a retired recreational cyclist, a crazy Russian and an affable guy with a slightly twisted sense of humor. I live in Moscow, Russia. Love working remotely from other beautiful places. Able to adjust to your timezone for partial or full work hours overlap. Skills Frontend development Over five years in frontend development Solid JavaScript skill, love modern tools, practices and patterns Sass enthusiast Highly experienced in Responsive Web Design, modular grids, mobile first, etc Using a BEM-like methodology to scale infinitely and prevent style leaks Not a visual designer EmberJS Over two years working exclusively with complex Ember apps Have a gut feeling for the Ember Way and best practices Focus on building robust, maintainable and scalable codebases Strong believer in the Test-Build-Refactor cycle Into testing: unit & user acceptance, work in TDD/BDD style, API/model layer mocking, CI Experience with advanced features: polymorphic relationships, FastBoot, Concurrency, Element Queries, etc Active member of the Ember community with humble open source contributions Other tech skills Proficient in using dev tools: git, terminal, SSH, Docker, package managers, build tools, StackOverflow/Google, etc Linux user, not a DevOps guy but have basic sysadmin skills Experience in distributed teams, SCRUM Know Ruby and looking into Elixir Active GitHub and StackOverflow profiles Non-tech skills Fluent English Fast typist Aware of own drawbacks and will let you know of them

Updated on September 18, 2022

Comments

Frank Kair over 1 year
I've got two computers connected to the same router 10.9.8.1:
- Computer A 10.9.8.2 runs Windows 10 Insider Preview. Insider Preview has VPN broken and can't be rolled back. :(
- Computer B 10.9.8.3 runs Linux Mint and has a VPN connection set up via openconnect.
Here's what ipconfig reports on B (fragment):
```
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.23.8.183  P-t-P:10.23.8.183  Mask:255.255.255.255
          inet6 addr: fe80::7fb2:5598:b02e:e541/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1410  Metric:1
          RX packets:24 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:7005 (7.0 KB)  TX bytes:3243 (3.2 KB)

wlp3s0    Link encap:Ethernet  HWaddr 60:67:20:36:6f:a4  
          inet addr:10.9.8.3  Bcast:10.9.8.255  Mask:255.255.255.0
          inet6 addr: fe80::8e96:7526:ff54:d1be/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22511502 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16052631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:24451442281 (24.4 GB)  TX bytes:6038264731 (6.0 GB)
```
I need to access resources behind VPN from computer A.

I'm thinking of configuring routes on A in such a way so that it would access VPN resources through B while using the router directly for everything else.

In the worst case, I can connect the two computers directly, but I would like to avoid that if possible.

On Windows, I can simply mark any adapter as shared. But when I do the same thing on Linux, the adapter loses connectivity. Not sure how to do that correctly.
- xx4h almost 6 years
  
  Set routes for the remote nets (behind B) on A (as you already mentioned). You need to enable forwarding on wlp3s0 via sysctl and maybe iptables/firewall. Additionally you may need to NAT outgoing connections on tun0 onto 10.23.8.183. If you get stuck, please update your question.
- Frank Kair almost 6 years
  
  I'm not familiar with iptables. I tried to follow this guide very carefully: techytalk.info/… But no luck. :( From computer A, I do a traceroute and see that it hits computer B for resources-behind-VPN, but can't ping them. :(
Frank Kair almost 6 years

It works! THANK YOU! tears of joy Likely, it's the FORWARD part that I was missing. PS Are you sure the sysctl directive is not net.ipv4.ip_forward? That's what other guides are saying. I used both.
xx4h almost 6 years

Enabling net.ipv4.conf.all.forwarding will enable net.ipv4.ip_forward too.
Frank Kair almost 6 years

I seem to lose some of this configuration on every reboot. Can you please update the answer with a recommended way to make the configuration persistent?
Shiplu Mokaddim over 5 years

The iptables rules will pass packets in wlp3s0 interface that are destined to 192.168.0.0/24. But how they will be passed to tun0 interface? Dont you need a separate routing table entry for this?
xx4h over 5 years

Most of the time vpn servers push routes to the clients on connect connect. So, if the connection is successfully established from the client to the vpn server, the routes for the remote networks are in place.