You are not logged in.
Hi all,
I have maybe a strange situation. I recently started testing a VPN service on my home network. Ideally I would like most of my home machines to connect through this VPN. I am using it for both privacy and to circumvent geo-restricted sites. I have a router, Asus WL-500gp which is running the Tomato Firmware, and I did first attempt to setup OpenVPN on it which did work but didn't provide very much bandwidth due to probably not having enough processing power to deal with the encryption and the compression involved. I was only able to get about 5Mbit down when normally I get approx 30+ so this was not an acceptable performance hit.
I then decided to try setting up the VPN on my media server which is running Arch(of course). This was easily accomplished and is working extremely well with approx 25Mbs down. An acceptable performance hit. Now, as it stands only this machine is running through the VPN, the rest of the machines are still connecting to the net normally through the router. Is there a way to have other devices on my lan also get forwarded through the VPN on my Arch server. I do realize I could run my server as a router but I would rather leave the tomato router for that as it works well and is easy to setup whereas I suspect it may be complicated to setup on Arch. Is it possible to configure the tomato to forward certain IP's(my wired network is all static ip's) or even MAC's to the media server rather than the ISP. I suspect it can be done with some new routes added in but I am not that familiar with routing tables to figure it out.
So for example my tomato router is on ip 192.168.1.1, media server is on 192.168.1.2, xbmc 1 is on 192.168.1.3, xbmc 2 is on 192.168.1.4 etc. So say I would also like to have xbmc 1 and 2 go through the VPN as well. Is there a relatively simple way to accomplish this? I am thinking something along the lines of having the tomato forward request from IP 192.168.1.3-192.168.1.4 to 192.168.1.2(rather than the default gateway), then on the server tell it to forward these request to tun0(the VPN's network device).
Any thoughts? Anyone done something like this?
Thanks,
Kevin
Last edited by ould (2012-12-26 13:29:59)
Offline
My first thought was to just set the server up as a router, but then I got to the part where you reject the idea. If you change your mind, you may find my recent notes on configuring something similar useful.
I'm pretty much a networking noob so I may be way off, but I would try the following. Here I'm assuming that the lan and vpn interfaces on the server are eth0 and tun0, respectively. These commands are adapted from the aforementioned notes.
On the server:
# Enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow postrouting to tun0. You may want to use "-s" here to strictly limit forwarding to IPs on your LAN.
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# Enable forwarding from the LAN to the VPN (and back via related and established connections).
# Again, you may want to use "-s".
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
After that, I think you can you just need to set the server as the default gateway on the other machines. I am not familiar with the Tomato firmware, but I would expect there to be some easy way to do it there.
You probably want the router to return the VPN's DNS servers instead of your ISP's DNS servers if you use DHCP on the LAN.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
Great, thanks for the reply. I will give that a try and see if it works. :-) For the pc's on the lan it would be simple just to change their gateways. So that might be best. I have a couple devices which I am not sure whether I can adjust their gateways but can figure something out on the router using a custom route, most likely.
I will also read over your notes on just configuring the server as the router. I had just assumed that it would be a difficult thing to do properly but I could be wrong.
Thanks again,
Kevin
Offline
Hey Xyne,
Just to update this thread. Thanks so much, your commands worked perfectly. And for anyone else who may get here looking to do the same, on the router side of things all I had to do was the following. This is for a tomato based router, in the advanced DHCP/DNS section, enter the following into the DNSMasq, Custom Configuration window:
dhcp-mac=red,AA:BB:CC:DD:EE:FF
dhcp-option = net:red, option:router, 192.168.1.2
To explain, the first command you put the mac address of the machine you want to forward to a different gateway. "red" is just an alias and can be anything you want(the example I followed used red and blue for different things). The second line tells it to use the secondary gateway, the first command referes to the "red" alias and tells it to use the router/gatway at ip address 192.168.1.2 or whatever your ip happens to be. In testing this seems to be working perfectly. obviously you can add more machines by repeating the first line with different MAC addresses.
Thanks again Xyne for getting me started, I will put your commands into a startup script so that they always start up as planned.
Kevin
Offline
I'm glad I could help (and that I wasn't completely wrong ).
For the script, you might find my idemptables useful. It will ensure that duplicate rules are never added and that all matching rules are removed when you wish. Overall it keeps the rules consistent even if your script exits unexpectedly.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
My first thought was to just set the server up as a router, but then I got to the part where you reject the idea. If you change your mind, you may find my recent notes on configuring something similar useful.
I'm pretty much a networking noob so I may be way off, but I would try the following. Here I'm assuming that the lan and vpn interfaces on the server are eth0 and tun0, respectively. These commands are adapted from the aforementioned notes.
On the server:
# Enable IP forwarding. echo 1 > /proc/sys/net/ipv4/ip_forward # Allow postrouting to tun0. You may want to use "-s" here to strictly limit forwarding to IPs on your LAN. iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE # Enable forwarding from the LAN to the VPN (and back via related and established connections). # Again, you may want to use "-s". iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
After that, I think you can you just need to set the server as the default gateway on the other machines. I am not familiar with the Tomato firmware, but I would expect there to be some easy way to do it there.
You probably want the router to return the VPN's DNS servers instead of your ISP's DNS servers if you use DHCP on the LAN.
Thank you very mach! It's has been useful for me when i wanna connect my VBox mashines to do my lab)
Offline