Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] Problems with setup a VPN gateway via netnamespaces
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
musv
Advocate
Advocate


Joined: 01 Dec 2002
Posts: 3237
Location: de

PostPosted: Wed Jul 04, 2018 10:23 pm    Post subject: [solved] Problems with setup a VPN gateway via netnamespaces Reply with quote

Hi there,

I'm currently trying to setup an alternative gateway to use as a VPN connection gateway. To show, what I want:

Code:

                                ----------------------------
                                | Router                   | 
            +------------------>| IP: 192.168.109.1        | → Internet
            |                   | External IP: 88.98.76.54 |
            |                   ----------------------------
            |                                ^
            |                                |
            |                                |
----------------------------    ----------------------------
| Computer 1               |    | NAS                      |
| IP: 192.168.109.20       |    | IP: 192.168.109.11       |
| Gateway: 192.168.109.1   |    | GW: 192.168.109.1        |
----------------------------    ----------------------------
| Namespace VPN            |    | Namespace VPN            |
| IP: 192.168.109.120      | →  | IP: 192.168.109.111      |
| Gateway: 192.168.109.111 |    | tun0: 10.96.123.45       |
----------------------------    | GW: 10.96.123.46         |
                                | External IP: 176.126.4.5 |
                                ----------------------------


What do I want
Starting an application (e.g. Firefox) in normal context on a computer in my local network shall access the internet via the router and use the external IP given by my internet provider (88.98.76.54).

Starting an application within the VPN namespace shoud access my NAS in VPN namespace and access the internet via the tun0 device and use the external IP given by a VPN provider (176.126.4.5).

What works
Logging into my NAS by SSH:
normal context:
curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'
88.98.76.54


Using the VPN context:
VPN Namespace:
ip netns exec vpn curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'
176.126.4.5


By using the bridge mode there's no need to setup a NAT router via iptables and ip forwarding.

What does not work
Using the NAS as gateway from a computer in my LAN and use the VPN connection to access the internet. I can ping every machine in the LAN but can't access any external IP.
Code:
ip route add default via 192.168.109.111
ping 8.8.8.8


Setup
NAS
  • IP: 192.168.109.11
  • GW: 192.168.109.1

Code:

mkdir /etc/netns/vpn
echo "nameserver 8.8.8.8" > /etc/netns/vpn/resolv.conf
ip netns add vpn
ip link add vlan0 link eth0 type macvlan mode bridge
ip link set vlan0 netns vpn
ip netns exec vpn ip link set dev vlan0 up
ip netns exec vpn ip addr add 192.168.209.11/24 dev vlan0
ip netns exec vpn ip addr add 127.0.0.1 dev lo
ip netns exec vpn ip link set lo up
ip netns exec vpn ip route add default via 192.168.109.1
ip netns exec vpn openvpn --config /etc/openvpn/vpn.ovpn
ip netns exec vpn ip route del default via 192.168.109.1

The remaining gateway is the given one by the VPN service.

route -n:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.96.123.46   128.0.0.0       UG    0      0        0 tun0
10.96.123.46   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.95.255.106   128.0.0.0       UG    0      0        0 tun0
176.126.85.12   192.168.109.1   255.255.255.255 UGH   0      0        0 vlan0
192.168.109.0   0.0.0.0         255.255.255.0   U     0      0        0 vlan0



This works so far. As written above, inside the netnamespace I have my VPN connection.

Computer X
The goal is to choose via a namespace the gateway in order to access the VPN if needed.
Code:
mkdir /etc/netns/vpn
echo "nameserver 8.8.8.8" > /etc/netns/vpn/resolv.conf
ip netns add vpn
ip link add vlan0 link eth0 type macvlan mode bridge
ip link set vlan0 netns vpn
ip netns exec vpn ip link set dev vlan0 up
ip netns exec vpn ip addr add 192.168.209.120/24 dev vlan0
ip netns exec vpn ip addr add 127.0.0.1 dev lo
ip netns exec vpn ip link set lo up
ip netns exec vpn ip route add default via 192.168.109.111

The gateway is the IP from my NAS with VPN Namespace.

route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.109.111 0.0.0.0         UG    0      0        0 vlan0
192.168.109.0   0.0.0.0         255.255.255.0   U     0      0        0 vlan0


And here starts the problem:
Code:
ip netns exec vpn ping 192.168.109.1
PING 192.168.109.1 (192.168.109.1) 56(84) bytes of data.
64 bytes from 192.168.109.1: icmp_seq=1 ttl=64 time=0.940 ms

ip netns exec vpn ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7179ms


What is wrong in my understanding?


Last edited by musv on Tue Jul 10, 2018 12:10 am; edited 1 time in total
Back to top
View user's profile Send private message
musv
Advocate
Advocate


Joined: 01 Dec 2002
Posts: 3237
Location: de

PostPosted: Tue Jul 10, 2018 12:10 am    Post subject: Got it Reply with quote

On the NAS (192.168.109.11)
First of all, I had to enable ip-forwarding:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward


After that it's possible to use this computer as a gateway, because I'm using bridged mode. No NAT is needed.

Redirect the VPN traffic via tun0
https://unix.stackexchange.com/questions/283801/iptables-forward-traffic-to-vpn-tunnel-if-open

Code:
ip netns exec vpn iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
ip netns exec vpn iptables -I FORWARD 1 -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip netns exec vpn iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT


That's all. Now I can use different gateways on the client computers inside my local network to send the package either via the regular network or via the VPN connection.

on a client:
curl ifconfig.co/ip
88.180.12.34
ip netns exec vpn curl ifconfig.co/ip
176.120.12.34


What more has to be done
If the VPN connection on the NAS ist getting lost, e.g. openvpn process killed, the connection will be established via the regular connection. A workaround or maybe the solution is to delete the default route. But in that case, of course OpenVPN isn't able to re-establish the connection.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum