Double VPN. How to route traffic from one tun interface through another tun?

A

andrew_progs2022-02-02 01:46:38

linux

andrew_progs, 2022-02-02 01:46:38

There are 3 network interfaces on the server:

eth0 - Internet
tun1 - openvpn server (10.8.1.1/24)
tun2s1 - tun2socks interface connected via eth0 (10.9.1.1/24)

I need traffic from tun1 to go through tun2s1.

Sample scheme: Client -> tun1 -> tun2s1 -> eth0

If you execute the command curl --interface tun2s1 http://site.com, then the request is made correctly, that is, tun2s1 is connected correctly. The problem is connecting tun1 and tun2s1 interfaces.

Here are the iptables rules I used to connect via eth0:

iptables -A FORWARD -o eth0 -i tun1 -s 10.8.1.1/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

But if I change eth0 to tun2s1, the client won't connect to the internet. I already tried many options but none of them worked, my knowledge of iptables is pretty low. Please let me know how to set up the redirect.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Andrey Barbolin, 2022-02-02
@andrew_progs

I have such a bug.

echo "100 	vpn" >> /etc/iproute2/rt_tables
echo 1 > /proc/sys/net/ipv4/ip_forward

export VPN_NET="10.10.10.0/24"
export VPN_IFACE="tun1"
export VPN_OFACE="tun2s1"

iptables -t nat -A PREROUTING -s $VPN_NET -i $VPN_IFACE -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t nat -A PREROUTING -s $VPN_NET -j MARK --set-xmark 0x1/0xffffffff
iptables -t nat -A PREROUTING -s $VPN_NET -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff

iptables -t nat -A POSTROUTING -s $VPN_NET -o $VPN_OFACE -j MASQUERADE

ip rule add fwmark 1 table vpn
ip route add default dev $VPN_OFACE table vpn
ip route flush cache

R

Ruslan Fedoseev, 2022-02-02
@martin74ua

iproute will help you
Firewall marks traffic, masquerades ... And routes are iproute