1

I have wlan0 and eth0. Eth0 is connected to the internet and wlan0 is an access point. I connected to an OpenVPN server with the "--pull-filter ignore redirect-gateway" option so that it doesn't automatically route ALL traffic through the VPN which is not what I want to do.

I'm trying to route all traffic from wlan0 (access point) to tun0. That way any clients connected to my access point will be using the VPN. I tried doing this using iptables:

iptables -A POSTROUTING -t nat -o wlan0 -j MASQUERADE iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

This doesn't work (and the counters don't update either). I tried replacing tun0 with eth0 which DID work (but ofc completely bypassing the VPN), so I'm assuming that the problem lies with tun0. I also read somewhere that IP routing tables are better suited for this. If that's true, how can I do this?

Improve this question
1
  • This is a routing issue basically. You might be interested in policy routing. Does this help ? Commented Feb 13, 2021 at 22:26

1 Answer 1

Reset to default
1

Assuming that your wlan subnet is 192.168.1.0/24 and tun0 IP is 10.10.10.99:

Execute the following commands on the VPN gateway

Enable routing, if not yet enabled:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Delete the first two NAT rules that you already have, while preserving the FORWARD rules:

sudo iptables -t nat -L -n --line-numbers sudo iptables -t nat -D POSTROUTING 1

Once the NAT rules are removed, add back a single NAT rule in right format.

sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -o tun0 -j MASQUERADE

Last step is to deal with the route table by using "Policy Routing":

sudo ip rule add from 192.168.1.0/24 table 99 sudo ip route add 0.0.0.0/0 via 10.10.10.99 dev tun0 table 99

Reference here and here

Improve this answer
3
  • Is there a reason my way (with iptables) works for eth0 but not for tun0? Commented Feb 14, 2021 at 6:36
  • Okay so I didn't have to remove any of my NAT rules, but it works now! Is there a way for me to add the routes given that the IP is dynamic? Commented Feb 14, 2021 at 9:26
  • The source IP is dynamic? Then it means your wlan IP is dynamic. I most cases, wlan IP range is static, although hosts can get dynamic IPs. In the route statement, we did not specify a single IP, but a range (192.168.1.0/24 for example). As long you have the correct IP range, you can have the route table covered at all times. If the tun0 IP is dynamic, you can create a simple script that will monitor the IP address and save into a variable. That variable will then be called in the route statement Commented Feb 14, 2021 at 10:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.