Routing paquets from interfaces through openvpn tunnel

jbosco · February 6, 2019, 4:29pm

Hello,

I’m trying to route traffic from my internal network through OpenVPN tunnel using policy based route but it doesn’t seems to work, my route is not created. Here’s my config file:

interfaces {
    ethernet eth0 {
        address 192.168.10.254/27
        description INSIDE
        duplex auto
        hw-id 00:0c:29:3c:26:a9
        policy {
            route FILTER-EXTERNAL
        }
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description OUTSIDE
        duplex auto
        hw-id 00:0c:29:3c:26:b3
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        encryption aes256
        mode client
        protocol tcp-active
        remote-host xxx.xxx.xxx.xxx
        remote-port 443
        tls {
            ca-cert-file /config/auth/ovpn/ca.crt
            cert-file /config/auth/ovpn/client.crt
            key-file /config/auth/ovpn/client.key
        }
        use-lzo-compression
    }
}
nat {
    source {
        rule 100 {
            outbound-interface eth1
            source {
                address 192.168.0.0/16
            }
            translation {
                address masquerade
            }
        }
    }
}
policy {
    route FILTER-EXTERNAL {
        rule 1000 {
            destination {
            }
            set {
                table 100
            }
            source {
                address 192.168.10.0
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 10.240.14.1 {
                distance 1
            }
        }
        route 10.0.0.0/8 {
            next-hop 10.240.14.1 {
                distance 1
            }
        }
        table 100 {
            route 0.0.0.0/0 {
                next-hop 192.168.200.1 {
                }
            }
        }
    }
}

And now the routing table:

vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [210/0] via 10.240.14.1, eth1
S>* 10.0.0.0/8 [1/0] via 10.240.14.1, eth1
C>* 10.240.14.0/24 is directly connected, eth1
C>* 127.0.0.0/8 is directly connected, lo
K>* 192.168.2.0/24 via 192.168.200.1, vtun0
C>* 192.168.10.224/27 is directly connected, eth0
C>* 192.168.200.0/24 is directly connected, vtun0

Any idea of what might be wrong? Maybe a conflit with NAT but need it.

Thanks!

kroy · February 6, 2019, 4:42pm

Is that part wrong? Wouldn’t it need to be 192.168.10.224/27

zsdc · February 6, 2019, 4:52pm

Hello, @jbosco!
First of all, use next command to check routing tables, others than default:

show ip route table 100

Also, it seems that you need:

outbound-interface any in source nat rule;
source address 192.168.10.224/27 in policy, as said @kroy.

Check this, and back to us if something still goes wrong.

jbosco · February 6, 2019, 5:29pm

There a typo for the source address:

source { address 192.168.10.0/27 }

I want to redirect traffic from hosts in this subnet which is on my eth0 interface.

The route seems to be here, but no host on my 192.168.10.0 network can ping the other end of the tunnel.

vyos@vyos:~$ show ip route table 100
table 100:

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 192.168.200.1, vtun0

[UPDATE] : Ok I’ve changed nat outbound-interface to any and now I can ping the other end of the tunnel. Thanks! Pinging an public IP doesn’t work. If I traceroute to 8.8.8.8, traffic uses openVPN tunnel and after it find nothing:

user@192.168.10.227:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.10.254 (192.168.10.254)  1.190 ms  0.501 ms  0.440 ms
 2  192.168.200.1 (192.168.200.1)  15.631 ms  29.797 ms  29.358 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *

I’m pretty sure I need to add a route for my network on the OpenVPN server so the respond is correctly routed. I’ll keep you updated.

[UPDATE 2] : I’ve added a route back to my local network on my openvpn server and set NAT and it worked. Thanks you for your help!

system · February 8, 2019, 5:29pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.