A Debian 8 VM on my ESXi server is running an OpenVPN server which was running fine until I decided to add another interface to the machine with another IP. I would like to use one IP solely for VPN traffic, not for server administration.
These are both external IPs. The provider I'm with uses a rather weird configuration though, I have to set the gateway to an IP outside the subnet. And as not many OS'es just accept this, I have to create a static route.
This is what it looks like:
root@ln-1:/etc/openvpn# ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx
inet addr:92.xxx.xxx.xxx Bcast:92.xxx.xxx.xxx Mask:255.255.255.255
inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:271765 errors:0 dropped:10 overruns:0 frame:0
TX packets:4545 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16520579 (15.7 MiB) TX bytes:1027263 (1003.1 KiB)
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:217.xxx.xxx.xxx Bcast:217.xxx.xxx.xxx Mask:255.255.255.255
inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:271152 errors:0 dropped:9 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16727664 (15.9 MiB) TX bytes:1598 (1.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:45 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2774 (2.7 KiB) TX bytes:0 (0.0 B)
And the routes, I have configured the route to 91.xxx.xxx.xxx (which is the gateway) on both interfaces, but I made the default on eth0 which makes the machines use that one by default I think, but I want the VPN traffic to go through eth1, using the same gateway IP:
root@ln-1:/etc/openvpn# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 91.xxx.xxx.xxx 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
91.xxx.xxx.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
91.xxx.xxx.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
And the iptables configuration:
root@ln-1:/etc/openvpn# iptables-save
# Generated by iptables-save v1.4.21 on Tue May 9 00:08:15 2017
*filter
:INPUT DROP [8286:454500]
:FORWARD DROP [801:48621]
:OUTPUT ACCEPT [4648:980772]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -o eth1 -j ACCEPT
COMMIT
# Completed on Tue May 9 00:08:15 2017
# Generated by iptables-save v1.4.21 on Tue May 9 00:08:15 2017
*nat
:PREROUTING ACCEPT [19909:1034285]
:INPUT ACCEPT [54:2776]
:OUTPUT ACCEPT [144:10480]
:POSTROUTING ACCEPT [144:10480]
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue May 9 00:08:15 2017
SSH I would like to go over eth0, the rest, VPN traffic goes over port 443, and over port 80 I serve the OpenVPN setup to make it easy to find. The OpenVPN configuration includes the following lines:
local 217.xxx.xxx.xxx
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
IP forwarding is on, and everything worked until I wanted to use eth0 for everything EXCEPT VPN traffic, and eth1 just for VPN traffic.
I cannot seem to get this to work, I've searched a lot but I cannot find anyone with a similar setup who has solved this. Any help would be greatly appreciated!
If I have missed something relevant please tell me and I will add it of course, also I am new to actually posting things on this site, please excuse me if I am doing anything wrong.
EDIT 10 May 2017 22:07 CEST: I've got new information: Apparently, OpenVPN tries to route/forward from tun0 to eth0, I was experimenting with iptables logging:
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4
Which showed me this:
May 10 21:20:15 ln-1 kernel: [176312.426411] iptables_FORWARD_denied: IN=tun0 OUT=eth0 MAC= SRC=10.8.0.6 DST=157.56.144.215 LEN=89 TOS=0x00 PREC=0x00 TTL=127 ID=1513 PROTO=UDP SPT=57959 DPT=3544 LEN=6
I'm also surprised I see PROTO=UDP
here because both the server and client are configured to use TCP.