Sharing OpenVPN to specified IP-range on the local LAN
Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.
Current setup, server with Ubuntu Server distribution:
- eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables
- eth1: local LAN (192.168.1.1)
- tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull
At the momement I'm sharing public ip to a local LAN with iptables:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.
Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.
I will manually add name servers on each client on the local LAN.
--AFTER HOURS OF TRYING--
Route table when route-nopull is used with OpenVPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
And this routing is used when OpenVPN add routes:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
This is what I used for sharing a public ip (WAN) to the local lan:
iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE
This is for trying to share the OpenVPN for the local lan
iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE
Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.
Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?
iptables openvpn internet-sharing
asked Dec 16 '13 at 11:15
AnttiQAnttiQ
2826
add a comment |
Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.
Current setup, server with Ubuntu Server distribution:
- eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables
- eth1: local LAN (192.168.1.1)
- tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull
At the momement I'm sharing public ip to a local LAN with iptables:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.
Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.
I will manually add name servers on each client on the local LAN.
--AFTER HOURS OF TRYING--
Route table when route-nopull is used with OpenVPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
And this routing is used when OpenVPN add routes:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
This is what I used for sharing a public ip (WAN) to the local lan:
iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE
This is for trying to share the OpenVPN for the local lan
iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE
Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.
Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?
iptables openvpn internet-sharing
asked Dec 16 '13 at 11:15
AnttiQAnttiQ
2826
add a comment |
Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.
Current setup, server with Ubuntu Server distribution:
- eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables
- eth1: local LAN (192.168.1.1)
- tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull
At the momement I'm sharing public ip to a local LAN with iptables:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.
Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.
I will manually add name servers on each client on the local LAN.
--AFTER HOURS OF TRYING--
Route table when route-nopull is used with OpenVPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
And this routing is used when OpenVPN add routes:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
This is what I used for sharing a public ip (WAN) to the local lan:
iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE
This is for trying to share the OpenVPN for the local lan
iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE
Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.
Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?
iptables openvpn internet-sharing
asked Dec 16 '13 at 11:15
AnttiQAnttiQ
2826
Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.
Current setup, server with Ubuntu Server distribution:
- eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables
- eth1: local LAN (192.168.1.1)
- tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull
At the momement I'm sharing public ip to a local LAN with iptables:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.
Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.
I will manually add name servers on each client on the local LAN.
--AFTER HOURS OF TRYING--
Route table when route-nopull is used with OpenVPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
And this routing is used when OpenVPN add routes:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
This is what I used for sharing a public ip (WAN) to the local lan:
iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE
This is for trying to share the OpenVPN for the local lan
iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE
Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.
Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?
iptables openvpn internet-sharing
iptables openvpn internet-sharing
asked Dec 16 '13 at 11:15
AnttiQAnttiQ
2826
asked Dec 16 '13 at 11:15
AnttiQAnttiQ
2826
edited Dec 18 '13 at 12:44
AnttiQ
asked Dec 16 '13 at 11:15
AnttiQAnttiQ
2826
asked Dec 16 '13 at 11:15
AnttiQAnttiQ
2826
asked Dec 16 '13 at 11:15
AnttiQAnttiQ
2826
2826
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.
There are a few tricks:
1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.
2) most guides will tell you:
you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN
This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.
Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.
3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.
4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.
This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.
Edit:
on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
answered Dec 16 '13 at 13:28
MariusMatutiaeMariusMatutiae
38.2k95196
I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.
– AnttiQ
Dec 18 '13 at 11:24
@AnttiQ See my edit
– MariusMatutiae
Dec 18 '13 at 11:35
I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.
– AnttiQ
Dec 18 '13 at 11:39
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f689043%2fsharing-openvpn-to-specified-ip-range-on-the-local-lan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.
There are a few tricks:
1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.
2) most guides will tell you:
you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN
This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.
Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.
3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.
4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.
This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.
Edit:
on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
answered Dec 16 '13 at 13:28
MariusMatutiaeMariusMatutiae
38.2k95196
I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.
– AnttiQ
Dec 18 '13 at 11:24
@AnttiQ See my edit
– MariusMatutiae
Dec 18 '13 at 11:35
I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.
– AnttiQ
Dec 18 '13 at 11:39
add a comment |
Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.
There are a few tricks:
1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.
2) most guides will tell you:
you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN
This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.
Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.
3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.
4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.
This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.
Edit:
on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
answered Dec 16 '13 at 13:28
MariusMatutiaeMariusMatutiae
38.2k95196
I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.
– AnttiQ
Dec 18 '13 at 11:24
@AnttiQ See my edit
– MariusMatutiae
Dec 18 '13 at 11:35
I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.
– AnttiQ
Dec 18 '13 at 11:39
add a comment |
Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.
There are a few tricks:
1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.
2) most guides will tell you:
you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN
This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.
Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.
3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.
4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.
This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.
Edit:
on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
answered Dec 16 '13 at 13:28
MariusMatutiaeMariusMatutiae
38.2k95196
Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.
There are a few tricks:
1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.
2) most guides will tell you:
you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN
This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.
Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.
3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.
4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.
This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.
Edit:
on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
answered Dec 16 '13 at 13:28
MariusMatutiaeMariusMatutiae
38.2k95196
edited Dec 18 '13 at 11:34
answered Dec 16 '13 at 13:28
MariusMatutiaeMariusMatutiae
38.2k95196
answered Dec 16 '13 at 13:28
MariusMatutiaeMariusMatutiae
38.2k95196
answered Dec 16 '13 at 13:28
MariusMatutiaeMariusMatutiae
38.2k95196
38.2k95196
I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.
– AnttiQ
Dec 18 '13 at 11:24
@AnttiQ See my edit
– MariusMatutiae
Dec 18 '13 at 11:35
I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.
– AnttiQ
Dec 18 '13 at 11:39
add a comment |
I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.
– AnttiQ
Dec 18 '13 at 11:24
@AnttiQ See my edit
– MariusMatutiae
Dec 18 '13 at 11:35
I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.
– AnttiQ
Dec 18 '13 at 11:39
I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.
– AnttiQ
Dec 18 '13 at 11:24
I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.
– AnttiQ
Dec 18 '13 at 11:24
@AnttiQ See my edit
– MariusMatutiae
Dec 18 '13 at 11:35
@AnttiQ See my edit
– MariusMatutiae
Dec 18 '13 at 11:35
I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.
– AnttiQ
Dec 18 '13 at 11:39
I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.
– AnttiQ
Dec 18 '13 at 11:39
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f689043%2fsharing-openvpn-to-specified-ip-range-on-the-local-lan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
