OPENVPN route specific subnet down separate tunnel.
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

OPENVPN route specific subnet down separate tunnel.

AlyssaDAlyssaD Member

Ok! So I have a problem, and it shouldn't be a problem. However, it is....

I want to access this IP from my vpn server. (192.10.84.xx) <<-- this is an example ip.

The problem is the vpn server for some reason can't connect to 192.10.84.xx.

To resolve this I setup a gre tunnel and forwarded the traffic via ip route. So now the server can see 192.10.84.xx and works fine.

#!/bin/bash

iptunnel add gre1 mode gre local 10.254.0.22 remote 10.254.0.21 ttl 255
ip addr add 192.168.168.2/30 dev gre1
ip link set gre1 up

ifconfig gre1 mtu 1250

#echo '100 BUYVM' >> /etc/iproute2/rt_tables
ip rule add from 192.168.168.0/30 table BUYVM
ip route add default via 192.168.168.1 table BUYVM

ip route add 192.10.84.0/22 via 192.168.168.1 dev gre1

However, the openvpn client can't connect and see this. It still attempts to send it out via the main ip.

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 162.253.179.xxx

I figure this is because I am forcing the ip out of 162.253.179.xxx. Is there anyway with iptables or some other that I might be able to route that 192.10.84.0 network over my gre tunnel?

Comments

  • AlyssaDAlyssaD Member

    I... guess I stumped everyone.

  • deadlyllamadeadlyllama Member
    edited March 21

    Why such a complex setup? You shouldn't need an extra routing table. And plain IP-over-GRE links are point-to-point (so more like PPP than normal IP over ethernet), you don't need to allocate a subnet.

    I'd do something like this:

    ip tunnel add gre1 mode gre local 10.254.0.22 remote 10.254.0.21 ttl 255
    ip addr add 192.168.168.2 dev gre1 # no reason for a /30, we can be p2p
    ip route add 192.168.168.1 dev gre1 # so you can ping the other end
    ip link set gre1 up
    
    ifconfig gre1 mtu 1250
    
    ip route add 192.10.84.0/22 dev gre1
    
    iptables -t nat -I POSTROUTING -o gre1 -j MASQUERADE
    
  • AlyssaDAlyssaD Member

    @deadlyllama said: Why such a complex setup? You shouldn't need an extra routing table. And plain IP-over-GRE links are point-to-point (so more like PPP than normal IP over ethernet), you don't need to allocate a subnet.

    I'd do something like this:

    ip tunnel add gre1 mode gre local 10.254.0.22 remote 10.254.0.21 ttl 255
    ip addr add 192.168.168.2 dev gre1 # no reason for a /30, we can be p2p
    ip route add 192.168.168.1 dev gre1 # so you can ping the other end
    ip link set gre1 up
    
    ifconfig gre1 mtu 1250
    
    ip route add 192.10.84.0/22 dev gre1
    
    iptables -t nat -I POSTROUTING -o gre1 -j MASQUERADE
    

    Because my host, sadly, can't connect to a certain internet subnet. I have contacted both providers and both won't do anything.

  • By "such a complex setup" I meant the extra BUYVM routing table. My example just adds a route to the problematic subnet straight into the main routing table, which sounds closer to what you actually want. Have you tried doing it my way?

    Even if you just replace everything after your ifconfig line with

    ip route add 192.10.84.0/22 dev gre1 iptables -t nat -I POSTROUTING -o gre1 -j MASQUERADE

    I'd expect that to work.

  • AlyssaDAlyssaD Member

    The GRE tunnel is just for the IP address space that isn't working over the normal server. Everything else I want to come out of the normal servers address space. IP route doesn't work.

Sign In or Register to comment.