Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iproute configuration and tunnels
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 195

PostPosted: Thu Aug 03, 2017 4:06 am    Post subject: iproute configuration and tunnels Reply with quote

I have been successfully using iproute2 to define a table, a rule and a route such that all the outgoing packets from a particular device are sent out via a VPN tunnel. At the endpoint of the tunnel, the packets are NATed sent, out and the replies sent back.

To do this: I added a new table (in /etc/iproute2/rt_tables), then added a rule that referenced that table:
Code:
ip rule add from 192.168.91.70 table vpn1

and then added a route:
Code:
ip route add default dev tun1 table vpn1


This works because there is only one device at the far end of the tunnel, because my local system is a (openVPN) client to the VPN.

However, I now want to send the packets out via a different tunnel, in which there are multiple endpoints (my local machine is the OpenVPN server). Can anyone explain how I configure this? This doesn't work:
Code:
ip route add default via 10.1.1.10 dev tun2 table vpn2

because 10.1.1.10 is at the other end of the tunnel (my local IP address related to the tunnel is 10.1.1.1. The error message is:
Code:
RTNETLINK answers: Network is unreachable


So what's the iproute2 magic to achieve this? Or does it need some help from IPTABLES?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1762

PostPosted: Thu Aug 03, 2017 8:20 pm    Post subject: Reply with quote

Don't use "default" as your target in routing table. Use actual network definition. Say, something along the lines of:
Code:
ip route add 10.1.1.0/24 via 10.1.1.10 dev tun2 table vpn2

You don't even need multiple tables here, you can define multiple rules in the default table.
With ip route it's also possible to define routing rules based on source IP, which comes in handy in case of multihomed machines. (You can use it to define a sort of reflective routing or to let an application decide which gateway it wants to be served by)
Back to top
View user's profile Send private message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 195

PostPosted: Thu Aug 03, 2017 10:04 pm    Post subject: Reply with quote

szatox wrote:
Don't use "default" as your target in routing table. Use actual network definition. Say, something along the lines of:
Code:
ip route add 10.1.1.0/24 via 10.1.1.10 dev tun2 table vpn2


I don't think that achieves my objective.

In case I did not make it clear enough, what I am trying to do is to have all outgoing packets that originate from a specific IP address be routed out via a specific IP address at the other end of the VPN tunnel , instead of via the normal gateway. The machine doing the routing is both the local VPN endpoint and the normal default gateway.

If, for example, the specific source IP address sends a packet to google (8.8.4.4), I want my firewall/router/local vpn endpoint to route the packets via a specific ip address which is at the other end of my VPN tunnel.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1762

PostPosted: Sat Aug 05, 2017 8:47 am    Post subject: Reply with quote

Well, you can create a routing table for each IP on your machine, match them with source IPs, and insert default route for every source IP into its matching table.
I think there was some trick to do that with a single routing table too (using src or from params), but it doesn't matter that much here.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum