Share a VPN connection over WiFi
Routing
On host A
you need to route all traffic for the destination network to host B
. I will assume this is something like 192.168.0.0/24
for linux (on host A
):
ip r a 192.168.0.0/24 via 10.9.8.3 dev eth0
for windows (on host A
):
route ADD 192.168.0.0 MASK 255.255.255.0 10.9.8.3
Forwarding
After routing is in place, all packages for the network 192.168.0.0/24
will be send to host B
.
To allow packages to be forwarded from wlp3s0
to tun0
on host B
, you need to enable IP forwarding.
To temporary enable IP forwarding for all interfaces:
sysctl net.ipv4.conf.all.forwarding=1
To enable this change permanently, add new line to /etc/sysctl.conf
:
net.ipv4.conf.all.forwarding = 1
Additionally to interface settings, iptables
could be active and need to allow package forwarding.
To check if iptables
is active (at least for the FORWARD
chain):
iptables -L FORWARD -nv
If the chain has no rules and the policy says ACCEPT
, you are good to go, if not, you need to add relevant rules to allow forwarding for 192.168.0.0/24
.
Allow forwarding all packages to 192.168.0.0/24
on wlp3s0
:
iptables -I FORWARD -i wlp3s0 -d 192.168.0.0/24 -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
the RELATED,ESTABLISHED
automatically allows the return packages.
NAT
Now, after forwarding is set up, packages will be send into the tunnel. But as far as the remote network behind the VPN does not know our local network, which is normally the case, we need to NAT
all packages which come from our local network and will go into the VPN to the address, we got from the VPN-Server (which is the IP on the tun0
).
To do this, you need to create a MASQUERADE
rule in the POSTROUTING
table:
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
This will nat all outgoing packages on tun0
to the interface`s IP.
Related videos on Youtube
Frank Kair
Looking for full-time remote job as a senior EmberJS dev, preferably with relocation perspectives. Personality At work I'm a passionate developer; strong supporter of best practices and patterns; serious about code readability, maintainability and scalability; believe in testing. On the scale from quick-n-dirty to slow-but-thorough, I lean toward the latter. Off duty, I'm a loving husband and father, an avid debater, a board game geek, a retired recreational cyclist, a crazy Russian and an affable guy with a slightly twisted sense of humor. I live in Moscow, Russia. Love working remotely from other beautiful places. Able to adjust to your timezone for partial or full work hours overlap. Skills Frontend development Over five years in frontend development Solid JavaScript skill, love modern tools, practices and patterns Sass enthusiast Highly experienced in Responsive Web Design, modular grids, mobile first, etc Using a BEM-like methodology to scale infinitely and prevent style leaks Not a visual designer EmberJS Over two years working exclusively with complex Ember apps Have a gut feeling for the Ember Way and best practices Focus on building robust, maintainable and scalable codebases Strong believer in the Test-Build-Refactor cycle Into testing: unit & user acceptance, work in TDD/BDD style, API/model layer mocking, CI Experience with advanced features: polymorphic relationships, FastBoot, Concurrency, Element Queries, etc Active member of the Ember community with humble open source contributions Other tech skills Proficient in using dev tools: git, terminal, SSH, Docker, package managers, build tools, StackOverflow/Google, etc Linux user, not a DevOps guy but have basic sysadmin skills Experience in distributed teams, SCRUM Know Ruby and looking into Elixir Active GitHub and StackOverflow profiles Non-tech skills Fluent English Fast typist Aware of own drawbacks and will let you know of them
Updated on September 18, 2022Comments
-
Frank Kair over 1 year
I've got two computers connected to the same router
10.9.8.1
:- Computer A
10.9.8.2
runs Windows 10 Insider Preview. Insider Preview has VPN broken and can't be rolled back. :( - Computer B
10.9.8.3
runs Linux Mint and has a VPN connection set up viaopenconnect
.
Here's what
ipconfig
reports on B (fragment):tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.23.8.183 P-t-P:10.23.8.183 Mask:255.255.255.255 inet6 addr: fe80::7fb2:5598:b02e:e541/64 Scope:Link UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1 RX packets:24 errors:0 dropped:0 overruns:0 frame:0 TX packets:42 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:7005 (7.0 KB) TX bytes:3243 (3.2 KB) wlp3s0 Link encap:Ethernet HWaddr 60:67:20:36:6f:a4 inet addr:10.9.8.3 Bcast:10.9.8.255 Mask:255.255.255.0 inet6 addr: fe80::8e96:7526:ff54:d1be/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22511502 errors:0 dropped:0 overruns:0 frame:0 TX packets:16052631 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:24451442281 (24.4 GB) TX bytes:6038264731 (6.0 GB)
I need to access resources behind VPN from computer A.
I'm thinking of configuring routes on A in such a way so that it would access VPN resources through B while using the router directly for everything else.
In the worst case, I can connect the two computers directly, but I would like to avoid that if possible.
On Windows, I can simply mark any adapter as shared. But when I do the same thing on Linux, the adapter loses connectivity. Not sure how to do that correctly.
-
xx4h almost 6 yearsSet routes for the remote nets (behind B) on A (as you already mentioned). You need to enable forwarding on wlp3s0 via sysctl and maybe iptables/firewall. Additionally you may need to NAT outgoing connections on tun0 onto 10.23.8.183. If you get stuck, please update your question.
-
Frank Kair almost 6 yearsI'm not familiar with
iptables
. I tried to follow this guide very carefully: techytalk.info/… But no luck. :( From computer A, I do a traceroute and see that it hits computer B for resources-behind-VPN, but can't ping them. :(
- Computer A
-
Frank Kair almost 6 yearsIt works! THANK YOU! tears of joy Likely, it's the
FORWARD
part that I was missing. PS Are you sure thesysctl
directive is notnet.ipv4.ip_forward
? That's what other guides are saying. I used both. -
xx4h almost 6 yearsEnabling
net.ipv4.conf.all.forwarding
will enablenet.ipv4.ip_forward
too. -
Frank Kair almost 6 yearsI seem to lose some of this configuration on every reboot. Can you please update the answer with a recommended way to make the configuration persistent?
-
Shiplu Mokaddim over 5 yearsThe iptables rules will pass packets in
wlp3s0
interface that are destined to192.168.0.0/24
. But how they will be passed totun0
interface? Dont you need a separate routing table entry for this? -
xx4h over 5 yearsMost of the time vpn servers push routes to the clients on connect connect. So, if the connection is successfully established from the client to the vpn server, the routes for the remote networks are in place.