Network namespace, openvpn and iptables. How do I forward veth<->tun?

xnand · 2017-09-14 16:52:05

So i have a working openvpn client configuration, through tun2 interface.
I create a network namespace, called vpn_ns, and a veth - vpeer pair, named vpn_veth and vpn_vpeer. Then i put vpn_vpeer inside the namespace, and assign the following addresses:

vpn_veth: 192.168.100.1/24
vpn_vpeer: 192.168.100.2/24

Then i start openvpn with --route-nopull option, because i don't want all my traffic going to the vpn server, just the one started in the vpn_ns namespace.
The vpn provider gives me the addresses, like these: local = 10.10.10.1, peer 10.10.10.2.

What I want to do now is grab all the traffic generated inside the namespace (goes in vpn_vpeer), that comes out from vpn_veth, redirect it to tun2 and send it on the internet through the vpn server. Then for the incoming traffic coming from tun2, redirect it all to vpn_veth so that it comes up from vpn_vpeer, so that the applications in the namespace can transparently communicate with the internet only through the vpn, while the applications outside this namespace can only (or will preferably) do that normally through the normal enp2s0 interface (the old eth0).

I tested the vpn_veth and vpn_vpeer and traffic goes in and out normally. The problem is linking vpn_vpeer with tun2. I don't understand how to correctly set iptables to forward packets.

First thing i do is create the default route inside namespace, so that all traffic come out from vpn_veth:

ip route add default via 192.168.100.1 dev vpn_vpeer

Then I added these iptables rules (it was ACCEPT by default, but just to be sure...) :

Chain INPUT (policy ACCEPT 107K packets, 147M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  vpn_veth tun2    anywhere             anywhere            
    0     0 ACCEPT     all  --  tun2   vpn_veth  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 57533 packets, 3665K bytes)
 pkts bytes target     prot opt in     out     source               destination

Then I tried:

iptables -t nat -A PREROUTING -i vpn_veth -j DNAT --to 10.10.10.1
iptables -t nat -A PREROUTING -i tun2 -d 192.168.100.2 -j DNAT --to 192.168.100.1

iptables -t nat -A POSTROUTING -o vpn_veth -j SNAT --to 192.168.100.1
iptables -t nat -A PREROUTING -i vpn_veth -j DNAT --to 192.168.100.2

iptables -t nat -A POSTROUTING -o vpn_veth -j MASQUERADE

And other ones that i don't remember. Basically with every one of them, except I think the one with MASQUERADE, i can ping 8.8.8.8 but can't curl anything. With wireshark I can see nothing on the tun2 interface, and just a reset tcp frame on the vpn_veth interface every time i try, and the curl command tells me:

curl: (7) Failed to connect to 153.121.72.211 port 80: Connection refused

(this ip is ifconfig.me, I tried also with other addresses)

Obviously I enabled packet forwarding with sysctl net.ipv4.ip_forward=1, on all interfaces to be sure.

Could someone help me??

Last edited by xnand (2017-09-14 16:54:24)

jjacky · 2017-09-14 18:08:53

I think the easiest might be to use a rule. In vpn_ns, you set a default to get out via vpn_vpeer, as you said:

ip route add default via 192.168.100.1 dev vpn_vpeer

Now inside your "main" network namespace, you need to forward everything that comes from there via tun2, so create a rule specific for everything that comes from vpn_veth, and a default route for it:

ip rule add iif vpn_veth table 333 priority 30000
ip route add default via 10.10.10.2 dev tun2 table 333

(table number 333 is random, prio 30000 just need to be before main, which is at 32766)

Of course you'll need to masquerade everything out of tun2:

iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE

And I think that should work. (Well, you also need to allow packet forwarding & accept FORWARD in iptables ofc, but that seems to be the case already.)

xnand · 2017-09-14 19:55:52

Working like a charm!! I didn't know about ip rule until now, so nice
Thank you

jjacky · 2017-09-15 11:05:22

So just in case, I'm not sure what happens when your vpn goes down, but if interface tun2 goes away then that default route might be removed as well, in which case the traffic from vpn_ns would be routed in plain/via your enp2s0 (since it would go to table main, as everything else), which I'm guessing might not be what you want.

In which case you might wanna avoid that maybe with something like:

ip rule add iif vpn_veth table 444 priority 31000
ip route add unreachable default table 444

xnand · 2017-09-15 11:12:32

Well, I made a script to handle the tun2 interface going up, in which i put the things I described here, and another script to handle the vpn going down that will delete the namespace, disable packet forwarding, delete iptables rules, etc. These are the ones called by openvpn. So in this case I think the applications started from inside the namespace will close, or at least will not be able to access the internet. Didn't try yet though! I'm going to try and optimize everything in the following evenings, and also read the manual for ip rule. I'll keep your commands in mind, thank you very much for the suggestion

Arch Linux

#1 2017-09-14 16:52:05

Network namespace, openvpn and iptables. How do I forward veth<->tun?

#2 2017-09-14 18:08:53

Re: Network namespace, openvpn and iptables. How do I forward veth<->tun?

#3 2017-09-14 19:55:52

Re: Network namespace, openvpn and iptables. How do I forward veth<->tun?

#4 2017-09-15 11:05:22

Re: Network namespace, openvpn and iptables. How do I forward veth<->tun?

#5 2017-09-15 11:12:32

Re: Network namespace, openvpn and iptables. How do I forward veth<->tun?

Board footer