Aha. I think I see why. Silly me. IPv6 has a route out my local network, but doesn't (and anyway, I'm not redirecting) out my VPN tunnel. I think I need to turn off ipv6 on the server.
On Fri, Jan 12, 2018 at 11:57 AM, Russell Senior <[email protected]> wrote: > In the aftermath of the SpiritOne/Aracnet meltdown, my DSL connection > finally went tits up last week, which frankly lasted longer than I had > any right to expect. With the DSL connection death, my several static > IPs went with it, which were providing several self-hosted services. > > The replacement public facing bit is a cloud based relay. I currently > have an AWM t2.micro instance that forwards packets to an OpenVPN > tunnel. The AWS instance is working fine and is relaying traffic as > expected. The OpenVPN client is a server at my house. > > The server has two interfaces, its normal ethernet interface and the > OpenVPN tap interface. So, effectively it is dual-homed. > > I am using the solution I have in other similar instances, namely: > > VPN_GATEWAY=10.x.y.1 > VPN_IPADDR=10.x.y,10 > VPN_IFACE=tap0 > VPN_TABLE=vpn # mapping to an integer in /etc/iproute2/rt_tables > VPN_FWMARK=2 > LOCALNET=192.168.x.0/24 > > ip route add default via $VPN_GATEWAY dev $VPN_IFACE table $VPN_TABLE > ip rule add fwmark $VPN_FWMARK table $VPN_TABLE > iptables -t nat -I POSTROUTING -o $VPN_IFACE -j SNAT --to-source $VPN_IPADDR > iptables -t mangle -N NotLocal > iptables -t mangle -A OUTPUT -d $LOCALNET -j ACCEPT > iptables -t mangle -A OUTPUT -j NotLocal > iptables -t mangle -A NotLocal -p tcp --dport 25 -j MARK --set-mark > $VPN_FWMARK > iptables -t mangle -A NotLocal -p tcp --dport 80 -j MARK --set-mark > $VPN_FWMARK > iptables -t mangle -A NotLocal -p tcp --dport 443 -j MARK --set-mark > $VPN_FWMARK > > #etc > > So, the idea here is that on egress from my server, connections with > non-local destinations get directed to the NotLocal chain of the > mangle table, where connections with TCP destination ports that match > 25, 80, 443 are given a fwmark. The ip rule matches that fwmark to a > routing table that sends it to the VPN gateway (and if necessary, > SNAT's the source address to the address of the tap0 interface. > > Inbound connections work fine, because their TCP connections are > opened on the VPN interface, their replies are predisposed to have the > $VPN_IPADDR as their source address. However, if I make an outbound > connection with a non-localnet destination, the source address gets > the ethernet's ip addr as the source address and are not getting > fwmark'd, and I haven't figured out why yet. > > Anybody with policy routing experience see why? > > > -- > Russell Senior > [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
