Hmm, maybe not the problem.
On Fri, Jan 12, 2018 at 12:16 PM, Russell Senior <[email protected]> wrote: > Aha. I think I see why. Silly me. IPv6 has a route out my local > network, but doesn't (and anyway, I'm not redirecting) out my VPN > tunnel. I think I need to turn off ipv6 on the server. > > On Fri, Jan 12, 2018 at 11:57 AM, Russell Senior > <[email protected]> wrote: >> In the aftermath of the SpiritOne/Aracnet meltdown, my DSL connection >> finally went tits up last week, which frankly lasted longer than I had >> any right to expect. With the DSL connection death, my several static >> IPs went with it, which were providing several self-hosted services. >> >> The replacement public facing bit is a cloud based relay. I currently >> have an AWM t2.micro instance that forwards packets to an OpenVPN >> tunnel. The AWS instance is working fine and is relaying traffic as >> expected. The OpenVPN client is a server at my house. >> >> The server has two interfaces, its normal ethernet interface and the >> OpenVPN tap interface. So, effectively it is dual-homed. >> >> I am using the solution I have in other similar instances, namely: >> >> VPN_GATEWAY=10.x.y.1 >> VPN_IPADDR=10.x.y,10 >> VPN_IFACE=tap0 >> VPN_TABLE=vpn # mapping to an integer in /etc/iproute2/rt_tables >> VPN_FWMARK=2 >> LOCALNET=192.168.x.0/24 >> >> ip route add default via $VPN_GATEWAY dev $VPN_IFACE table $VPN_TABLE >> ip rule add fwmark $VPN_FWMARK table $VPN_TABLE >> iptables -t nat -I POSTROUTING -o $VPN_IFACE -j SNAT --to-source $VPN_IPADDR >> iptables -t mangle -N NotLocal >> iptables -t mangle -A OUTPUT -d $LOCALNET -j ACCEPT >> iptables -t mangle -A OUTPUT -j NotLocal >> iptables -t mangle -A NotLocal -p tcp --dport 25 -j MARK --set-mark >> $VPN_FWMARK >> iptables -t mangle -A NotLocal -p tcp --dport 80 -j MARK --set-mark >> $VPN_FWMARK >> iptables -t mangle -A NotLocal -p tcp --dport 443 -j MARK --set-mark >> $VPN_FWMARK >> >> #etc >> >> So, the idea here is that on egress from my server, connections with >> non-local destinations get directed to the NotLocal chain of the >> mangle table, where connections with TCP destination ports that match >> 25, 80, 443 are given a fwmark. The ip rule matches that fwmark to a >> routing table that sends it to the VPN gateway (and if necessary, >> SNAT's the source address to the address of the tap0 interface. >> >> Inbound connections work fine, because their TCP connections are >> opened on the VPN interface, their replies are predisposed to have the >> $VPN_IPADDR as their source address. However, if I make an outbound >> connection with a non-localnet destination, the source address gets >> the ethernet's ip addr as the source address and are not getting >> fwmark'd, and I haven't figured out why yet. >> >> Anybody with policy routing experience see why? >> >> >> -- >> Russell Senior >> [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
