Cannot Route Traffic through Client Mode OpenVPN Interface to Internet

proxmox
snat
vpn
openvpn
nat

#1

I’ve been at this for a little over a week. I’m not a professional in the field, so bare with me.

In short, how do I get client traffic to route through an OpenVPN client interface to the internet?

At the bottom of this post is my configuration, which I created by following the Vyos Wiki User Guide and related documentation, as well as various forums related to Vyos, Vyatta, Ubiquity, and other vyatta-variants.


What am I trying to achieve?

Let me start by explaining the setup I’m looking to achieve, and then I’ll explain the issues I’m having.

The idea is to have VyOS act as an OpenVPN Client. The traffic for all devices connected to VyOS should then be routed through the OpenVPN service.

This OpenVPN Service is an arbitrary service; this could be PIA, NordVPN, TorGuard, IPVanish, ExpressVPN or others.

   [OpenVPN Service] <(vtun0)
         ||
     [Internet]
         ||
      /Primary\
      \Gateway/ <(eth0)
         ||
       [VyOS]
       __||__ <(eth1)
      |      |
     [1]    [2]

DHCP on eth0 leases 10.0.0.0/16 (Internet-Connected Router)
DHCP on eth1 leases 10.1.1.128/25 (VyOS)
DHCP on vtun0 leases 10.26.10.0/16 (OpenVPN Service)

Describing The Issue

With vtun0 DISABLED

In this scenario, VyOS can ping and curl websites successfully. It’s Public IPv4 Address is the same as eth0 (the public facing router).

Devices connected to VyOS are able to successfully resolve DNS requests and can curl and ping websites successfully, also sharing the Public IPv4 Address of eth0 (the public facing router).

vyos@vyos# set interfaces openvpn vtun0 disable
[edit]

vyos@vyos# commit
[edit]

vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             10.0.1.166/16                     u/u  OUTSIDE 
eth1             10.1.1.1/24                       u/u  INSIDE 
lo               127.0.0.1/8                       u/u  
                 ::1/128

vyos@vyos# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.0.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        *               255.255.0.0     U         0 0          0 eth0
10.1.1.0        *               255.255.255.0   U         0 0          0 eth1
loopback        *               255.0.0.0       U         0 0          0 lo
With vtun0 ENABLED

In this scenario, VyOS can ping and curl websites successfully. It’s Public IPv4 Address is the same as vtun0’s (the OpenVPN service’s IP Address).

Traffic from clients are able to retrieve DNS results (when their DNS servers are set to VyOS’ 10.1.1.1 gateway); however, pings and curls fail with 100% packet drop.

vyos@vyos# delete interfaces openvpn vtun0 disable
[edit]

vyos@vyos# commit
[edit]

vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             10.0.1.166/16                     u/u  OUTSIDE 
eth1             10.1.1.1/24                       u/u  INSIDE 
lo               127.0.0.1/8                       u/u  
                 ::1/128
vtun0            10.26.10.6                        u/u  

vyos@vyos# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.26.10.5      128.0.0.0       UG        0 0          0 vtun0
default         10.0.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        *               255.255.0.0     U         0 0          0 eth0
10.1.1.0        *               255.255.255.0   U         0 0          0 eth1
10.1.1.128      *               255.255.255.128 U         0 0          0 vtun0
10.26.10.1      10.26.10.5      255.255.255.255 UGH       0 0          0 vtun0
10.26.10.5      *               255.255.255.255 UH        0 0          0 vtun0
loopback        *               255.0.0.0       U         0 0          0 lo
128.0.0.0       10.26.10.5      128.0.0.0       UG        0 0          0 vtun0
VPN_PUB_IPv4    10.0.0.1        255.255.255.255 UGH       0 0          0 eth0

Current VyOS Configuration:

/config/config.boot
firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable

    name IN-OUT {
        default-action accept
        rule 20 {
            action drop
			description "Prevent access to 10.0.0.0/24 addresses"
            destination {
                address 10.0.0.0/24
            }
            state {
                new enable
            }
        }
    }

    name OUTSIDE-IN {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }

    name OUTSIDE-LOCAL {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 30 {
            action drop
            destination {
                port 22
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
    }

    name vtun0-inbound {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name vtun0-local {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description OUTSIDE
        duplex auto
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
            out {
                name IN-OUT
            }
        }
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 10.1.1.1/24
        description INSIDE
        duplex auto
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        authentication {
            password "**********"
            username "**********"
        }
		firewall {
            in {
                name vtun0-inbound
            }
            local {
                name vtun0-local
            }
        }
        disable
        encryption aes256
        mode client
        openvpn-option "--verb 1"
        openvpn-option --disable-occ
        openvpn-option "--reneg-sec 0"
        openvpn-option "--remote-cert-tls server"
        openvpn-option "--resolv-retry infinite"
        openvpn-option --persist-key
        openvpn-option "--auth sha256"
        persistent-tunnel
        protocol udp
        remote-host 255.255.255.255
        remote-port 65535
        tls {
            ca-cert-file /config/auth/ca.crt
            crl-file /config/auth/crl.pem
        }
        use-lzo-compression
    }
}
nat {
    source {
        rule 50 {
            outbound-interface vtun0
            source {
                address 10.1.1.128/25
            }
            translation {
                address masquerade
            }
        }
        rule 100 {
            outbound-interface eth0
            source {
                address 10.1.1.0/25
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        interface-route 10.1.1.128/25 {
            next-hop-interface vtun0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name LAN {
            authoritative disable
            subnet 10.1.1.1/24 {
                default-router 10.1.1.1
                dns-server 10.1.1.1
                domain-name internal-network
                lease 86400
                start 10.1.1.128 {
                    stop 10.1.1.254
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 0
            listen-on eth1
            name-server 1.1.1.1
            name-server 1.0.0.1
        }
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password "**********"
                plaintext-password "**********"
            }
            level admin
        }
    }
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password "**********"
            url http://packages.vyos.net/vyos
            username "**********"
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.8 */