Creating a VPN Router

dom11990 · 2019-05-03 21:57:16

Hi,

I'm trying to repurpose a small linux machine I have to route all incoming traffic over my VPN connection. This way I don't need to install VPN clients on all my machines at home, I just need to change the gateway to this "router". I found guide that explains how to set this up for a RPi and it seems to have a good amount of overlap with what I need. Unfortunately, the kill switch is not working correctly. That is to say, if for whatever reason my vpn is not accessible, I want the packets to be dropped. I'm able to set the gateway to my "router" machine and everything is working fine, however, if I log onto the "router" and systemctl stop openvpn@CON (my vpn client connection), the packets from my laptop that route to the "vpn router" are merrily passed down stream to my actual home router. This is not what I want. Below is the output of iptables -L -nv

Chain INPUT (policy ACCEPT 16 packets, 2564 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1553 1167K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* In from LAN */
    2   100 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* loopback */

Chain FORWARD (policy ACCEPT 38 packets, 5706 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1461 1037K ACCEPT     all  --  tun+   eth0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 1030  252K ACCEPT     all  --  eth0   tun+    0.0.0.0/0            0.0.0.0/0            /* LAN out to VPN */

Chain OUTPUT (policy ACCEPT 67 packets, 14746 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   304 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0            /* Out to VPN */
    2   100 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* loopback */
 1054  334K ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:1198 /* openvpn */
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123 /* ntp */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68 /* dhcp */
    4   282 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* dns */

Would any networking pros be able to point out what is surely a silly mistake that I am making?

cheers,
dom

Last edited by dom11990 (2019-05-03 21:58:29)

Richards · 2019-05-03 23:28:28

I have some experience in flashing routers with dd-wrt. (I also have some experience in bricking routers while doing the same.)

But I cannot figure out what you are asking.

Do you want to flash your router with dd-wrt and program it to connect to the Internet through your VPN?

Richard

fukawi2 · 2019-05-04 00:18:52

Chain FORWARD (policy ACCEPT 38 packets, 5706 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1461 1037K ACCEPT     all  --  tun+   eth0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 1030  252K ACCEPT     all  --  eth0   tun+    0.0.0.0/0            0.0.0.0/0            /* LAN out to VPN */

Your FORWARD policy is ACCEPT. Change it to DROP:

iptables -P FORWARD DROP

dom11990 · 2019-05-04 05:24:44

Ah yes I missed that. After changing the default policy behavior, clients that are using the gateway correctly time out if the vpn drops. Thanks!

Part two -
Since this is a regular machine that I sometimes work on, I also wanted to modify the output rules with similar behavior. I ran

sudo iptables -p OUTPUT DROP

This has the desired behavior on the machine (internet only works through the VPN interface and not at all if the tunnel is down), however, it appears to have the side affect that I can no longer ssh onto the unit from within my network. Should this traffic not be coming in through the INPUT rules which are set to accept?

Further help would be deeply appreciated!

@Richards - to explain a little better, I don't want to flash my router. I have a linux box that I want to configure as a second gateway in my home network. If I want traffic to go through my vpn (which is the default for all my systems) I use this linux box as the gateway. If I don't want the traffic encrypted (for example Netflix) I use my normal router as the gateway. I want to expand the vpn gateway routing rules to prevent any outbound traffic if for some reason the vpn tunnel is down. This is the core of my question, how this is done. It appears to be working now for forwarded traffic and the solution makes sense, so I'm comfortable leaving it like this. The only thing left is now to do the same for internet traffic originating from the gateway box. However, applying the same policy seems to have affected the internal network traffic as well, which I dont want. I want the gateway to be accessible via ssh no matter the status of the VPN (from inside the network). I hope this explains it a little better.

cheers,
dominik

dom11990 · 2019-05-04 05:49:53

I believe I have solved my issue. After dropping all outgoing traffic by default, the ssh traffic was not allowed to leave the box

I added a rule to allow all outgoing established traffic to proceed. Is this the correct way to solve this? I could have limited it to the ssh port but I may run other internal network services on this box and I don't want to go back and add iptables everytime. Thoughts?

sudo iptables -A OUTPUT -p tcp  -m state --state ESTABLISHED -m comment --comment outgoing-established -j ACCEPT

cheers,
dominik

Last edited by dom11990 (2019-05-04 05:50:29)

fukawi2 · 2019-05-04 05:51:40

dom11990 wrote:

...I can no longer ssh onto the unit from within my network. Should this traffic not be coming in through the INPUT rules which are set to accept?

Did you change the policy for the OUTPUT chain to DROP as well? If so, add the same RELATED,ESTABLISHED rule that you have in FORWARD to your OUTPUT chain to allow the packets from the router back to your SSH client.

Arch Linux

#1 2019-05-03 21:57:16

Creating a VPN Router

#2 2019-05-03 23:28:28

Re: Creating a VPN Router

#3 2019-05-04 00:18:52

Re: Creating a VPN Router

#4 2019-05-04 05:24:44

Re: Creating a VPN Router

#5 2019-05-04 05:49:53

Re: Creating a VPN Router

#6 2019-05-04 05:51:40

Re: Creating a VPN Router

Board footer