You are not logged in.

#1 2019-07-12 02:07:47

alfalfa
Member
Registered: 2017-06-30
Posts: 63
Website

Need help with iptables (Wifi VPN Hotspot)

I have ethernet and wifi interfaces on the same machine and I would like to use the wlan solely as a VPN WiFi hotspot. I installed OpenVPN and create_ap, they both work independantly, but the traffic from create_ap is not routed to the VPN. I had limited success with the vpnfailsafe script (AUR), but I would like to use a more obvious approach. I tried fiddling with iptables without success, and frankly it is quite obscure for me. This seems to have no effects:

sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "Use VPN IP for eth0"
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Use VPN IP for tun0"
iptables -A FORWARD -s 192.168.0.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -j REJECT -m comment --comment "Block traffic from clients to eth0"
iptables -A FORWARD -s 192.168.0.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic from clients to tun0"
systemctl start iptables

ifconfig output:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.198  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::ba27:ebff:fe88:5812  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:88:58:12  txqueuelen 1000  (Ethernet)
        RX packets 1836  bytes 413975 (404.2 KiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 1683  bytes 236471 (230.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.0.10.6  netmask 255.255.255.255  destination 10.0.10.5
        inet6 fe80::5b25:6c33:668f:96ba  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 1046 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::ba27:ebff:fedd:d47  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:dd:0d:47  txqueuelen 1000  (Ethernet)
        RX packets 828  bytes 109404 (106.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 815  bytes 362598 (354.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    1024   0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wlan0
10.22.11.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.1     0.0.0.0         255.255.255.255 UH    1024   0        0 eth0

/etc/openvpn/client/America.conf

# servers
remote ca-montreal.privateinternetaccess.com 1198
remote ca-toronto.privateinternetaccess.com 1198
remote ca-vancouver.privateinternetaccess.com 1198
remote us-west.privateinternetaccess.com 1198
remote us-washingtondc.privateinternetaccess.com 1198
remote us-texas.privateinternetaccess.com 1198
remote us-seattle.privateinternetaccess.com 1198
remote us-newyorkcity.privateinternetaccess.com 1198
remote us-siliconvalley.privateinternetaccess.com 1198
remote us-lasvegas.privateinternetaccess.com 1198
remote us-houston.privateinternetaccess.com 1198
remote us-florida.privateinternetaccess.com 1198
remote us-east.privateinternetaccess.com 1198
remote us-denver.privateinternetaccess.com 1198
remote us-chicago.privateinternetaccess.com 1198
remote us-california.privateinternetaccess.com 1198
remote mexico.privateinternetaccess.com 1198
remote-random

# load common auth file
auth-user-pass client.key

# failsafe
script-security 2
route-noexec          # Ignore "RTNETLINK answers: File exists" error
ping-timer-rem        # Don't ping until connected to remote
#up /etc/openvpn/vpnfailsafe.sh
#down /etc/openvpn/vpnfailsafe.sh
#keepalive 10 30      # Ping every 10s, timeout and restart after 30s (replaced with keepalive.service)

# ignore ipv6-related configuration
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "

# generic PIA config
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
compress
verb 1
reneg-sec 0

<crl-verify>
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

disable-occ

/etc/create_ap.conf

CHANNEL=default
GATEWAY=10.0.0.1
WPA_VERSION=2
ETC_HOSTS=0
DHCP_DNS=gateway
NO_DNS=0
HIDDEN=0
MAC_FILTER=0
MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept
ISOLATE_CLIENTS=0
SHARE_METHOD=nat
IEEE80211N=0
IEEE80211AC=0
HT_CAPAB=[HT40+]
VHT_CAPAB=
DRIVER=nl80211
NO_VIRT=0
COUNTRY=
FREQ_BAND=2.4
NEW_MACADDR=
DAEMONIZE=0
NO_HAVEGED=0
WIFI_IFACE=wlan0
INTERNET_IFACE=tun0
SSID=ssid-vpn
PASSPHRASE=password                                                                                                                                 
USE_PSK=0

Offline

#2 2019-07-15 16:58:33

alfalfa
Member
Registered: 2017-06-30
Posts: 63
Website

Re: Need help with iptables (Wifi VPN Hotspot)

I could block unencrypted traffic by using vpnfailsafe script and UFW instead of iptables:

systemctl stop iptables
ufw default deny incoming
ufw default deny outgoing
ufw allow SSH
ufw allow from 192.168.0.0/24
ufw allow in on tun0
ufw allow out on tun0
ufw allow in on eth0 from any port 1198
ufw allow out on eth0 to any port 1198
ufw enable
systemctl enable ufw

It works with Bittorrent, but it doesn't allow internet access with create_ap, altough the wan iface is set to 'tun0'.
Could that be a create_ap issue? Any ideas?

Offline

Board footer

Powered by FluxBB