# [SOLVED] Routing does not work (SNAT)

## skibbi

Hi,

I have a virtual server at a public hoster and I establish a VPN to this server. Then I want that all my client traffic is routed via the VPN-server to the public internet. (I want to do this because my local network i really insecure.)

I managed to establish the VPN. My VPN server has the VPN-IP 10.1.1.1 (all IPs changed in this post) and my local client thas the VPN-IP 10.1.1.6. I added the rule "redirect-gateway" to the OpenVPN Client config to change my default gateway to the OpenVPN servers IP-Address.

Now I want to route the packages via my server to the internet but this does not work.

This are the interfaces of the server:

```

tun0 IP-Adress: 10.1.1.1

venet0 IP-Adress 127.0.0.1

venet0:0 IP-Aress 77.88.99.10 (the public IP of my server)

```

Then I adapted the Gentoo Home Router Guide Script (Listing 5.2) to fit my needs:

```

iptables -F

iptables -t nat -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

export LAN=tun0

export WAN=venet0

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -I INPUT 1 -i ${WAN} -j ACCEPT

iptables -I FORWARD -i ${LAN} -d 10.1.1.0/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 10.1.1.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 10.1.1.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j SNAT --to-source 5.6.7.8 // 5.6.7.8 is the default gateway of my virtual server at the hoster

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

```

But now it is still not possible to ping an IP from my local VPN client. Pinging an IP from the server works. So something is wrong with packet forwarding.

Can anyone help me?Last edited by skibbi on Mon Sep 14, 2009 3:32 pm; edited 1 time in total

----------

## dylix

i might be wrong but shouldnt export WAN=venet0 be export WAN=venet0:0  ?

----------

## skibbi

 *dylix wrote:*   

> i might be wrong but shouldnt export WAN=venet0 be export WAN=venet0:0  ?

 

At first I tried this one yes. But itables does not accept interface aliases.

----------

## skibbi

Is there no IPtables expert out there who can help me?  :Crying or Very sad: 

----------

## Hu

Have a little patience.  You waited barely three hours.  Some of us only read the boards once a day.

Why are you masquerading traffic that leaves your server as being from the gateway that the server uses?  That makes no sense, and is almost certainly causing problems.  Please post the output of ip route list ; ip addr list ; iptables-save -c, as run from the VPN server at the public hosting facility.  I assume you have the client set up so the VPN is your default route?  If you are unsure, please run the same command sequence on the client, and post it as well.  You are welcome to remap public IP addresses, as long as you remap them consistently.

----------

## skibbi

 *Hu wrote:*   

> Have a little patience.  You waited barely three hours.  Some of us only read the boards once a day.
> 
> 

 

Sorry. You are right. I should be more patient. :/

 *Hu wrote:*   

> 
> 
> Why are you masquerading traffic that leaves your server as being from the gateway that the server uses?  That makes no sense, and is almost certainly causing problems.
> 
> 

 

This was an error. The correct line should be:

```

iptables -t nat -A POSTROUTING -o ${WAN} -j SNAT --to 5.6.7.8

```

I read that this is the right way for SNAT. I used this guide (scroll down to second big headline). But it also does not work. If I do it that way then  the internet is no longer accessible for the server (pings don't work from server to other servers in the internet).

 *Hu wrote:*   

> 
> 
> Please post the output of ip route list ; ip addr list ; iptables-save -c, as run from the VPN server at the public hosting facility.  I assume you have the client set up so the VPN is your default route?  If you are unsure, please run the same command sequence on the client, and post it as well.  You are welcome to remap public IP addresses, as long as you remap them consistently.

 

Server output of the mentioned commands: (public IPs changed)

```

# ip route list 

10.8.142.2 dev tun0  proto kernel  scope link  src 10.8.142.1

5.6.7.8 dev venet0  scope link

10.8.142.0/24 via 10.8.142.2 dev tun0

127.0.0.0/8 dev lo  scope link

default via 5.6.7.8 dev venet0

# ip addr list

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

3: venet0: <BROADCAST,POINTOPOINT,NOARP,UP> mtu 1500 qdisc noqueue

    link/void

    inet 127.0.0.1/32 scope host venet0

    inet 77.88.99.10/32 scope global venet0:0

17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 500

    link/[65534]

    inet 10.8.142.1 peer 10.8.142.2/32 scope global tun0

# iptables-save -c

# Generated by iptables-save v1.3.6 on Sun Sep 13 21:50:04 2009

*mangle

:PREROUTING ACCEPT [600038:71945185]

:INPUT ACCEPT [599601:71914243]

:FORWARD ACCEPT [437:30942]

:OUTPUT ACCEPT [570989:208751949]

:POSTROUTING ACCEPT [571360:208777401]

COMMIT

# Completed on Sun Sep 13 21:50:04 2009

# Generated by iptables-save v1.3.6 on Sun Sep 13 21:50:04 2009

*filter

:INPUT ACCEPT [1:52]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [7:876]

[0:0] -A INPUT -i lo -j ACCEPT

[10:760] -A INPUT -i venet0 -j ACCEPT

[0:0] -A INPUT -i tun0 -j ACCEPT

[0:0] -A FORWARD -d 10.8.142.0/255.255.255.0 -i tun0 -j DROP

[0:0] -A FORWARD -s 10.8.142.0/255.255.255.0 -i tun0 -j ACCEPT

[0:0] -A FORWARD -d 10.8.142.0/255.255.255.0 -i venet0 -j ACCEPT

COMMIT

# Completed on Sun Sep 13 21:50:04 2009

# Generated by iptables-save v1.3.6 on Sun Sep 13 21:50:04 2009

*nat

:PREROUTING ACCEPT [366754:16829014]

:POSTROUTING ACCEPT [263:18443]

:OUTPUT ACCEPT [248:17606]

[0:0] -A POSTROUTING -o venet0 -j SNAT --to-source 5.6.7.8

COMMIT

# Completed on Sun Sep 13 21:50:04 2009

```

And yes I changed the default gateway to the VPN server address by using "redirect-gateway" directive in the OpenVPN client config. (BTW to which package belongs the ip command?)

----------

## Hu

Change your SNAT to set a source address that the gateway will actually return to you.  This should be the same IP address as the one on venet0.

----------

## skibbi

 *Hu wrote:*   

> Change your SNAT to set a source address that the gateway will actually return to you.  This should be the same IP address as the one on venet0.

 

Big thanks to you!  :Smile:  It works now. I have to write a script to change the nameserver entry before openVPN start on the client but now it works perfectly.   :Very Happy: 

----------

