I am using an Raspberry pi as my router to serve my pc and an ioT device. The connection diagram is as below: network setup The RPi has two ethernet port, eth1 connected to my home network 192.168.1.0/24, eth2 is connected to a switch, my pc and an ioT device is connecting to that switch. On the RPi, dnsmasq is used as DHCP and DNS server to assign ip addresses to my PC and ioT device. Openvpn client is setup to connect to the remote VPN server (corporate network). What I am trying to achieve is to only direct some of the traffic through my VPN (tun0) while most of other traffic is via my home network.
My iptables setting is as below:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth0 -o tun0 -d 10.1.0.0/16 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -d 10.2.0.0/16 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
When openvpn connection is established, I can talk to the corporate (from my pc) without any issue. However, all traffics are all route through the VPN tun0, and I couldn't access to the home network (from my pc). I guess that is something to do with my iptables setting, any advice?
Edit: add OpenVPN config below
dev tun
client
proto tcp
<ca>
-----BEGIN CERTIFICATE-----
==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
==
-----END PRIVATE KEY-----
</key>
remote-cert-eku "TLS Web Server Authentication"
remote example-domain.com 443
route-nopull
route 10.1.0.0 255.255.0.0 10.0.0.1
route 10.2.0.0 255.255.0.0 10.0.0.1
dhcp-option DNS 10.1.0.253
dhcp-option DNS 10.1.0.254
dhcp-option WINS 10.1.0.253
dhcp-option WINS 10.1.0.254
dhcp-option DOMAIN internal.example-domain.com
block-outside-dns
redirect-gateway def1
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA256
float
reneg-sec 3660
nobind
mute-replay-warnings
auth-user-pass
remote
,auth-user-pass
, and removing entire blocks enclosed in angle-bracketed sections (for example<ca>
...</ca>
)