On 9/20/20 12:50 PM, Shorewall wrote: >>>> >>>> Sounds like you want to use Shorewall's multi-ISP facility >>>> (https://shorewall.org/MultiISP.html). Make tun0 the 'primary' provider >>>> and eth0 the 'fallback' provider. >>>> >>>> -Tom >>>> _______________________________________________ >>> >>> I think I was looking at that document earlier. I am not currently >>> running shorewall on the RPi. I will go back over the documentation and >>> see if I can apply it to my situation. >>> >>> I may have to post a picture somewhere, to make the infrastructure >>> clearer. >>> >> >> Is the VPN endpoint on the RPi? I understood it to be on the Shorewall >> Box. >> >> -Tom > > Yes. The RPi is providing a wireless access point whose internet > connection is through VPN, hence providing VPN access to wifi devices > (so the RPi has a wifi interface and an eth0 interface -- physically, > and a tun0 interface through OpenVPN which ultimately goes through the > eth0 interface which is connected to shorewall box via LAN network). So > no VPN on the shorewall server. > > I wanted to provide wireless devices the capability of having VPN access > if the device does not natively support it (think IoT devices). Which > all works fine. With the problem being inbound internet from shorewall > box being forwarded to RPi on LAN (RPi eth0; tcpdump showing that > working); but then return traffic instead of going through eth0 back to > shorewall box, out to internet, the return traffic goes out tun0 > interface on the RPi, which is not correct path for that particular > traffic. Besides being the wifi access point, I want the RPi to also > act as a web server accessible via the outside internet. > > I want all traffic that originates on RPi wifi to go out tun0 (which is > does today), but Internet traffic coming from shorewall box and entering > RPi eth0 to go back that same path (like it does if I do not have a rule > on the RPi server to send traffic through VPN tun0). > > I know how to get the RPi to act as web server to the internet, or how > to have the RPi be a wireless access point who creates VPN tunnel for > connected wifi devices, but I have not figured out to have the RPi do > both things at the same time. > > Sorry for being so confusing, and this certainly not being a critical > issue. I found one article on the interwebs of someone trying to do the > exact same thing, but it was a thread that did not have a solved > conclusion. > > Thank You.
Okay -- you can then install Shorewall (or Shorewall-lite) on the RPi
and use Multi-ISP there, or you can roll your own using iptables and ip.
The way that Shorewall would handle this roughly:
1. Add a routing rule at priority 1000 that sends all traffic to the
main table.
2. Delete the rule at priority 32766 that sends all traffic to the main
table.
3. Add a route in table 1 that reflects the default route through tun0
(e.g., ip route add default [ via <gateway> ] dev tun0 table 1)
4. Add a route in table 2 that reflects the default route through eth0.
5. Add a rule at priority 2000 that sends packets with mark one to table 1.
6. Add a rule at priority 2001 that sends packets with mark two to table 2.
7. In mangle PREROUTING:
a. If the connection mark is non-zero, set the packet mark to the
connection mark.
b. If the packet mark is non-zero, ACCEPT
c. If the in interface is tun0, set the packet mark to 1
d. If the in interface is eth0, set the packet mark to 2.
e. If the packet mark is non-zero, set the connection mark to the
packet mark.
8. In the default table (253), add a route that reflects the default
route through tun0.
8. Delete any default routes from the main table.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
