I’ve been at this for a little over a week. I’m not a professional in the field, so bare with me.
In short, how do I get client traffic to route through an OpenVPN client interface to the internet?
At the bottom of this post is my configuration, which I created by following the Vyos Wiki User Guide and related documentation, as well as various forums related to Vyos, Vyatta, Ubiquity, and other vyatta-variants.
What am I trying to achieve?
Let me start by explaining the setup I’m looking to achieve, and then I’ll explain the issues I’m having.
The idea is to have VyOS act as an OpenVPN Client. The traffic for all devices connected to VyOS should then be routed through the OpenVPN service.
This OpenVPN Service is an arbitrary service; this could be PIA, NordVPN, TorGuard, IPVanish, ExpressVPN or others.
[OpenVPN Service] <(vtun0)
||
[Internet]
||
/Primary\
\Gateway/ <(eth0)
||
[VyOS]
__||__ <(eth1)
| |
[1] [2]
DHCP on eth0 leases 10.0.0.0/16 (Internet-Connected Router)
DHCP on eth1 leases 10.1.1.128/25 (VyOS)
DHCP on vtun0 leases 10.26.10.0/16 (OpenVPN Service)
Describing The Issue
With vtun0 DISABLED
In this scenario, VyOS can ping and curl websites successfully. It’s Public IPv4 Address is the same as eth0 (the public facing router).
Devices connected to VyOS are able to successfully resolve DNS requests and can curl and ping websites successfully, also sharing the Public IPv4 Address of eth0 (the public facing router).
vyos@vyos# set interfaces openvpn vtun0 disable [edit] vyos@vyos# commit [edit] vyos@vyos# run show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 10.0.1.166/16 u/u OUTSIDE eth1 10.1.1.1/24 u/u INSIDE lo 127.0.0.1/8 u/u ::1/128 vyos@vyos# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 * 255.255.0.0 U 0 0 0 eth0 10.1.1.0 * 255.255.255.0 U 0 0 0 eth1 loopback * 255.0.0.0 U 0 0 0 lo
With vtun0 ENABLED
In this scenario, VyOS can ping and curl websites successfully. It’s Public IPv4 Address is the same as vtun0’s (the OpenVPN service’s IP Address).
Traffic from clients are able to retrieve DNS results (when their DNS servers are set to VyOS’ 10.1.1.1 gateway); however, pings and curls fail with 100% packet drop.
vyos@vyos# delete interfaces openvpn vtun0 disable [edit] vyos@vyos# commit [edit] vyos@vyos# run show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 10.0.1.166/16 u/u OUTSIDE eth1 10.1.1.1/24 u/u INSIDE lo 127.0.0.1/8 u/u ::1/128 vtun0 10.26.10.6 u/u vyos@vyos# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 10.26.10.5 128.0.0.0 UG 0 0 0 vtun0 default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 * 255.255.0.0 U 0 0 0 eth0 10.1.1.0 * 255.255.255.0 U 0 0 0 eth1 10.1.1.128 * 255.255.255.128 U 0 0 0 vtun0 10.26.10.1 10.26.10.5 255.255.255.255 UGH 0 0 0 vtun0 10.26.10.5 * 255.255.255.255 UH 0 0 0 vtun0 loopback * 255.0.0.0 U 0 0 0 lo 128.0.0.0 10.26.10.5 128.0.0.0 UG 0 0 0 vtun0 VPN_PUB_IPv4 10.0.0.1 255.255.255.255 UGH 0 0 0 eth0
Current VyOS Configuration:
/config/config.boot
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name IN-OUT {
default-action accept
rule 20 {
action drop
description "Prevent access to 10.0.0.0/24 addresses"
destination {
address 10.0.0.0/24
}
state {
new enable
}
}
}
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 30 {
action drop
destination {
port 22
}
protocol tcp
recent {
count 4
time 60
}
state {
new enable
}
}
}
name vtun0-inbound {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
}
name vtun0-local {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address dhcp
description OUTSIDE
duplex auto
firewall {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
out {
name IN-OUT
}
}
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.1.1.1/24
description INSIDE
duplex auto
smp_affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
authentication {
password "**********"
username "**********"
}
firewall {
in {
name vtun0-inbound
}
local {
name vtun0-local
}
}
disable
encryption aes256
mode client
openvpn-option "--verb 1"
openvpn-option --disable-occ
openvpn-option "--reneg-sec 0"
openvpn-option "--remote-cert-tls server"
openvpn-option "--resolv-retry infinite"
openvpn-option --persist-key
openvpn-option "--auth sha256"
persistent-tunnel
protocol udp
remote-host 255.255.255.255
remote-port 65535
tls {
ca-cert-file /config/auth/ca.crt
crl-file /config/auth/crl.pem
}
use-lzo-compression
}
}
nat {
source {
rule 50 {
outbound-interface vtun0
source {
address 10.1.1.128/25
}
translation {
address masquerade
}
}
rule 100 {
outbound-interface eth0
source {
address 10.1.1.0/25
}
translation {
address masquerade
}
}
}
}
protocols {
static {
interface-route 10.1.1.128/25 {
next-hop-interface vtun0 {
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name LAN {
authoritative disable
subnet 10.1.1.1/24 {
default-router 10.1.1.1
dns-server 10.1.1.1
domain-name internal-network
lease 86400
start 10.1.1.128 {
stop 10.1.1.254
}
}
}
}
dns {
forwarding {
cache-size 0
listen-on eth1
name-server 1.1.1.1
name-server 1.0.0.1
}
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password "**********"
plaintext-password "**********"
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password "**********"
url http://packages.vyos.net/vyos
username "**********"
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.8 */