mjhjmtu

I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:
eth0: WAN/Internet option 1 via DHCP
wlan0: LAN via WPA2/CCMP (hostapd) offering DHCP (dnsmasq, 192.168.0.0/24)
wlan1: WAN/Internet option 2 via DHCP (not considered yet)
Note: dnsmasq queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server parameter and is also configured as an adblocker (addn-hosts parameter, ad FQDNs pointing to 0.0.0.0).

This is my basic setup for IPv4 (as shown hereinafter) and IPv6:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.

To NAT WAN and LAN I've add the following iptables rules (from here IPv4 only):
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.

As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0 (DHCP, 10.10.0.0/24):
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:

1. How can I configure the Pi to forward the traffic through eth0 in case tun0 is not present without re touching the iptables rules?


2. How can I configurednsmasq to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?

I would like also to have a second OpenVPN connection to our corporate network (tun1, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:
iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1

But my approach will not work out, because on tun1 the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0 will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables setup.

3. So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.
   

Loking forward for support.

Kind regads.