1

Using VirtualBox on Ubuntu, I want to connect two Linux (debian 9) VMs together, so that the first one acts as a router for the second one (VM2), whose traffic is completely routed through the first one (VM1). The VM1 (gateway) is connected to a VPN service and thus all traffic from VM2 is connected to the VPN.

I have managed to have the VM2 successfully ping external IPs such as 8.8.8.8. But all other networking fails. I think the issue is the DNS resolution, which for some reason unknown to me is not resolved by the VM1.

Here is what I have done so far:

On VirtualBox, VM1 is connected to a NAT interface, and a second interface, which is an internal network named "testvpn". VM2 is only connected to this internal network, not to the NAT.

VM1 has the following /etc/network/interfaces configuration:

auto lo
iface lo inet loopback

allow-hotplug enp0s3
iface enp0s3 inet dhcp

allow-hotplug enp0s8
iface enp0s8 inet static
      address 10.152.152.10
      netmask 255.255.192.0

VM2 has the following /etc/network/interfaces configruation:

auto lo
iface lo inet loopback

allow-hotplug enp0s3
iface enp0s3 inet static
    address 10.152.152.15
    gateway 10.152.152.10
    netmask 255.255.255.0
    dns-nameservers 10.152.152.10

VM2's /etc/resolv.conf points to VM1:

nameserver 10.152.152.10

With this simple configuration, VM2 can ping VM1, but has no access to external internet. For this I must allow ip forwarding and configure iptables on VM1:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s8 -o tun0 -j ACCEPT

Note that I use on purpose tun0 for the VPN network interface, but the results are exactly the same with enp0s3 instead of tun0 without the VPN tunnel activated. Now I can ping external addresses on VM2, but all other network connections fail:

  $ curl google.com
    curl: (6) Could not resolve host: google.com

After some online reading, I tried to add supposedly DNS related iptables rules on the first gateway VM:

iptables -t nat -A PREROUTING -i enp0s8 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 53 -j REDIRECT

It doesn't work. Note that networking works fine on the VM1, with or without VPN.

I am not very experimented with iptables and I really don't know what to do next. I tried searching online hours for solutions but couldn't find a solution. I would not like to use dhcp/dnsmasq solutions as I am quite sure iptables should be enough.

T

Improve this question

1 Answer 1

Reset to default
1

EDIT: I had it working by changing the PREROUTING rules as follows:

iptables -t nat -A PREROUTING -i enp0s8 -p udp --dport 53 -j DNAT --to-destination 10.4.0.1
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 53 -j DNAT --to-destination 10.4.0.1

10.4.0.1 being the default DNS nameserver of the VPN (AirVPN) as in /etc/resolv.conf.

I am not sure if this is the correct way of doing it, but it works...

So now my entire iptables rules look as follows:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s8 -o tun0 -j ACCEPT
iptables -t nat -A PREROUTING -i enp0s8 -p udp --dport 53 -j DNAT --to-destination 10.4.0.1
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 53 -j DNAT --to-destination 10.4.0.1
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .