Sharing OpenVPN to specified IP-range on the local LAN












1















Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.



Current setup, server with Ubuntu Server distribution:




  • eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables

  • eth1: local LAN (192.168.1.1)

  • tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull


At the momement I'm sharing public ip to a local LAN with iptables:



iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.



Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.



I will manually add name servers on each client on the local LAN.



--AFTER HOURS OF TRYING--



Route table when route-nopull is used with OpenVPN:



Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1


And this routing is used when OpenVPN add routes:



Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1


This is what I used for sharing a public ip (WAN) to the local lan:



iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE


This is for trying to share the OpenVPN for the local lan



iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE


Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.



Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?










share|improve this question





























    1















    Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.



    Current setup, server with Ubuntu Server distribution:




    • eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables

    • eth1: local LAN (192.168.1.1)

    • tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull


    At the momement I'm sharing public ip to a local LAN with iptables:



    iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -F POSTROUTING
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


    What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.



    Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.



    I will manually add name servers on each client on the local LAN.



    --AFTER HOURS OF TRYING--



    Route table when route-nopull is used with OpenVPN:



    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
    88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
    localnet * 255.255.255.0 U 0 0 0 eth1


    And this routing is used when OpenVPN add routes:



    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
    0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
    46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
    80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
    88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
    128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1


    This is what I used for sharing a public ip (WAN) to the local lan:



    iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE


    This is for trying to share the OpenVPN for the local lan



    iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE


    Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.



    Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?










    share|improve this question



























      1












      1








      1


      1






      Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.



      Current setup, server with Ubuntu Server distribution:




      • eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables

      • eth1: local LAN (192.168.1.1)

      • tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull


      At the momement I'm sharing public ip to a local LAN with iptables:



      iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
      iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -t nat -F POSTROUTING
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


      What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.



      Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.



      I will manually add name servers on each client on the local LAN.



      --AFTER HOURS OF TRYING--



      Route table when route-nopull is used with OpenVPN:



      Kernel IP routing table
      Destination Gateway Genmask Flags Metric Ref Use Iface
      default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
      88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
      localnet * 255.255.255.0 U 0 0 0 eth1


      And this routing is used when OpenVPN add routes:



      Kernel IP routing table
      Destination Gateway Genmask Flags Metric Ref Use Iface
      0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
      0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
      46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
      80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
      88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
      128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
      192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1


      This is what I used for sharing a public ip (WAN) to the local lan:



      iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
      iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE


      This is for trying to share the OpenVPN for the local lan



      iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
      iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE


      Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.



      Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?










      share|improve this question
















      Is it possible and how to share OpenVPN (currently Anonine) -connection to specified IP-addresses on the local LAN? Local LAN consist windows- and linux machines and Android devices.



      Current setup, server with Ubuntu Server distribution:




      • eth0: public ip (dhcp, lets say 112.112.112.112), shared to local LAN with iptables

      • eth1: local LAN (192.168.1.1)

      • tap0: OpenVPN (Anonine DHCP 221.221.221.221) with configuration option route-nopull


      At the momement I'm sharing public ip to a local LAN with iptables:



      iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
      iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -t nat -F POSTROUTING
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


      What I would like to achieve is to share eth0 internet connection to a local LAN with ip-addresses 192.168.1.2 - 192.168.1.19 and they are declined to use OpenVPN -connection tap0.



      Then I would like to share OpenVPN -connection to ip-addresses greater than 192.168.1.19 and they are declined to use eth0 at any cost.



      I will manually add name servers on each client on the local LAN.



      --AFTER HOURS OF TRYING--



      Route table when route-nopull is used with OpenVPN:



      Kernel IP routing table
      Destination Gateway Genmask Flags Metric Ref Use Iface
      default 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
      88.115.14.0 * 255.255.224.0 U 0 0 0 eth0
      localnet * 255.255.255.0 U 0 0 0 eth1


      And this routing is used when OpenVPN add routes:



      Kernel IP routing table
      Destination Gateway Genmask Flags Metric Ref Use Iface
      0.0.0.0 46.246.18.101 128.0.0.0 UG 0 0 0 tap0
      0.0.0.0 88.115.14.1 0.0.0.0 UG 0 0 0 eth0
      46.246.18.100 0.0.0.0 255.255.255.128 U 0 0 0 tap0
      80.67.8.213 88.115.14.1 255.255.255.255 UGH 0 0 0 eth0
      88.115.14.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
      128.0.0.0 46.246.18.129 128.0.0.0 UG 0 0 0 tap0
      192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1


      This is what I used for sharing a public ip (WAN) to the local lan:



      iptables -A FORWARD -o eth0 -i eth1 -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate NEW -j ACCEPT
      iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.19 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.2-192.168.1.19 -o eth0 -j MASQUERADE


      This is for trying to share the OpenVPN for the local lan



      iptables -A FORWARD -o tap0 -i eth1 -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate NEW -j ACCEPT
      iptables -A FORWARD -m iprange --src-range 192.168.1.20-192.168.1.254 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.1.20-192.168.1.254 -o tap0 -j MASQUERADE


      Above iptables fiddling works for the eth0 sharing part when no-route is used for the OpenVPN but it does not work for the tap0. If I allow default routes for the OpenVPN then it works for the tap0 but not for the eth0.



      Now the question is how do I need to change my routing tables on Ubuntu server for this to work? Or do I need to change the routing tables for the clients?







      iptables openvpn internet-sharing






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 18 '13 at 12:44







      AnttiQ

















      asked Dec 16 '13 at 11:15









      AnttiQAnttiQ

      2826




      2826






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.



          There are a few tricks:



          1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.



          2) most guides will tell you:




          you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN




          This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.



          Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.



          3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.



          4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.



          This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.



          Edit:



          on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:



           iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
          iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE





          share|improve this answer


























          • I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.

            – AnttiQ
            Dec 18 '13 at 11:24













          • @AnttiQ See my edit

            – MariusMatutiae
            Dec 18 '13 at 11:35











          • I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.

            – AnttiQ
            Dec 18 '13 at 11:39











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f689043%2fsharing-openvpn-to-specified-ip-range-on-the-local-lan%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.



          There are a few tricks:



          1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.



          2) most guides will tell you:




          you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN




          This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.



          Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.



          3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.



          4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.



          This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.



          Edit:



          on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:



           iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
          iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE





          share|improve this answer


























          • I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.

            – AnttiQ
            Dec 18 '13 at 11:24













          • @AnttiQ See my edit

            – MariusMatutiae
            Dec 18 '13 at 11:35











          • I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.

            – AnttiQ
            Dec 18 '13 at 11:39
















          0














          Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.



          There are a few tricks:



          1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.



          2) most guides will tell you:




          you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN




          This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.



          Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.



          3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.



          4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.



          This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.



          Edit:



          on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:



           iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
          iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE





          share|improve this answer


























          • I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.

            – AnttiQ
            Dec 18 '13 at 11:24













          • @AnttiQ See my edit

            – MariusMatutiae
            Dec 18 '13 at 11:35











          • I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.

            – AnttiQ
            Dec 18 '13 at 11:39














          0












          0








          0







          Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.



          There are a few tricks:



          1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.



          2) most guides will tell you:




          you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN




          This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.



          Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.



          3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.



          4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.



          This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.



          Edit:



          on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:



           iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
          iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE





          share|improve this answer















          Yes, it is not difficult, just some work. You will have to configure your Ubuntu pc as a router, there are a billion guides all over the Internet.



          There are a few tricks:



          1) do not install a DHCP/dnsmasq server, there is no need for it: you already have one on your network.



          2) most guides will tell you:




          you have two ethernet interfaces, eth0 connected to WAN, eth1 connected to LAN




          This is correct, but in order to route the other pcs through the VPN, you must substitute tap0/tun0 (depending on what you use) to eth0, the interface on the WAN.



          Notice: you can achieve the same functionality even with just one ethernet card (I said above that you need two interfaces, not two cards), but if you only have one card you will have to learn how to use and configure vifs = Virtual Interfaces. In this case, you will have pcs connecting to you through interface eth0:1, and your pc will forward this communication to the interface tap0. This works beautifully, not to worry, it just cuts your throughput in half at peak times.



          3) You will have to change the IP address of the default router on all pcs for which you wish this to work, one by one. If you do this through your router, the Ubuntu IP address will be passed also to the pcs for which you do not wish to run this service.



          4) you can easily bar some pcs by using iptables to refuse connections from certain IP addresses.



          This is some amount of work, and not easily scalable. A better solution is to obtain a router with DD-WRT/OpenWRT/Tomato software (you can buy a few models with DD-WRT pre-installed, or you can flash an existing one yourself), set up a VLAN, and provide the client OpenVPN service only for members of the VLAN1.



          Edit:



          on the basis of what you told me, you can share your VPN connection by changing two of your iptables rules (leave the other two as they are) as follows:



           iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o tap0 -m conntrack --ctstate NEW -j ACCEPT
          iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Dec 18 '13 at 11:34

























          answered Dec 16 '13 at 13:28









          MariusMatutiaeMariusMatutiae

          38.2k95196




          38.2k95196













          • I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.

            – AnttiQ
            Dec 18 '13 at 11:24













          • @AnttiQ See my edit

            – MariusMatutiae
            Dec 18 '13 at 11:35











          • I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.

            – AnttiQ
            Dec 18 '13 at 11:39



















          • I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.

            – AnttiQ
            Dec 18 '13 at 11:24













          • @AnttiQ See my edit

            – MariusMatutiae
            Dec 18 '13 at 11:35











          • I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.

            – AnttiQ
            Dec 18 '13 at 11:39

















          I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.

          – AnttiQ
          Dec 18 '13 at 11:24







          I've tried to use google as much as I can before posting a question here :) My ubuntu is already "a router" sharing eht0 connection to the local lan. I'm not using dhcp/dnsmasq and I do have eth0 for WAN and eth1 for LAN and tap0 for openvpn connection.

          – AnttiQ
          Dec 18 '13 at 11:24















          @AnttiQ See my edit

          – MariusMatutiae
          Dec 18 '13 at 11:35





          @AnttiQ See my edit

          – MariusMatutiae
          Dec 18 '13 at 11:35













          I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.

          – AnttiQ
          Dec 18 '13 at 11:39





          I've added some testing to my question. It doesn't work like you edited directly. It needs something else and I'm guessing it's the routing table.

          – AnttiQ
          Dec 18 '13 at 11:39


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f689043%2fsharing-openvpn-to-specified-ip-range-on-the-local-lan%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀