How to setup routing to the tun interface from an interface that is receiving tagged frames

Question

I am configuring a Raspberry Pi to route traffic from a specific VLAN through a VPN, but I am encountering routing issues. Here’s an overview of my setup and the problems I'm facing:

Setup:

• Raspberry Pi
• Managed Switch
• PC connected to the switch.

PC, RPI are intended to be in one VLAN 10. The traffic from PC should be routed via RPI

RPI setup

Network Interfaces:

• eth0: Connected to a local network, IP 192.168.100.27/24
• tun0: VPN interface, which is set as the default route for all outbound traffic, gateway 10.0.0.1
• eth0.10: VLAN 10 interface with IP 192.168.10.1/24

Goal: Route all traffic from the VLAN 10 (192.168.10.0/24 network) exclusively through the VPN on the tun0 interface.

Current Configuration & Issue:

I have configured split tunneling for the VPN with routes 0.0.0.0/1 and 128.0.0.0/1 via 10.0.0.1 on tun0.

Attempts to configure routing to let traffic from eth0.10 use tun0 result in the error: "Nexthop has invalid gateway."

Direct pings from eth0.10 to 10.0.0.1 or to external IPs such as 8.8.8.8 fail, suggesting an issue with how the traffic is being routed from the VLAN through the VPN.

Specific Challenges:

Unable to route traffic from 192.168.10.0/24 through tun0 effectively. Errors when setting 10.0.0.1 as a gateway for eth0.10, despite tun0 being configured with this gateway for VPN traffic.

Questions:

• How can I ensure that all traffic from VLAN 10 (eth0.10) is correctly routed through the VPN on tun0?
• Are there specific configurations or adjustments needed in iptables or routing tables to facilitate this setup?

Any insights or guidance on how to correctly configure this network setup would be greatly appreciated, particularly any configuration snippets or diagnostic commands that could help resolve these routing issues.

Answer 1

I work as an intern at a data management company, and we actually had a similar (but more complicated) problem recently, with routing local servers to public ones.

To route your traffic from VLAN 10 through the VPN on tun0, you need to configure policy-based routing.

Firstly use the iptables command to mark packets from VLAN 10 with a specific fwmark (e.g., 0x10):

iptables -A PREROUTE -i eth0.10 -t mangle -j MARK --set-x 0x10

Now create a new routing table (e.g., vpn_route) with a higher priority than the default table:

ip rule add fwmark 0x10 table vpn_route

Add routes to the vpn_route table to direct traffic from VLAN 10 through the VPN:

ip route add default via 10.0.0.1 dev tun0 table vpn_route
ip route add 192.168.10.0/24 via 192.168.10.1 dev eth0.10 table vpn_route

Allow traffic from VLAN 10 to the VPN interface:

iptables -A FORWARD -i eth0.10 -o tun0 -j ACCEPT

Now all you should have to do is check your routing tables and iptables rules to ensure everything is configured correctly:

ip rule show
ip route show table vpn_route
iptables -nvL

By following these steps, you should hopefully be able to route traffic from VLAN 10 through the VPN on tun0. If you encounter issues or need further assistance, please let me know in the comments- I understand this is an annoying problem- and there isn’t much info about it online, so I help my method works!