Route all eth1 traffic over VPN
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have 3 NIC in my system: eth0 (192.168.1.54), eth1(192.168.1.55), wg0 (VPN, 192.168.99.1)
I'm looking for a way to route all eth1 traffic (tcp and udp) over wg0 (Wireguard VPN).
What I am trying to achieve is that on my phone/tablet/apple tv/etc I set eth1 address as Router, so all traffic should be redirected trough VPN.
On the remote side (it's a VPS) I have eth0 (main internet) and wg0 (192.168.99.2).
All what I currently did is that I successfully set up Wireguard interfaces on the both side (I can ping each other).
Route table:
default via 192.168.1.1 dev eth0 onlink
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.54
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.55
192.168.99.0/24 dev wg0 proto kernel scope link src 192.168.99.1
linux routing vpn
asked Dec 15 '17 at 15:23
user66638
1011
add a comment |Â
up vote
0
down vote
favorite
I have 3 NIC in my system: eth0 (192.168.1.54), eth1(192.168.1.55), wg0 (VPN, 192.168.99.1)
I'm looking for a way to route all eth1 traffic (tcp and udp) over wg0 (Wireguard VPN).
What I am trying to achieve is that on my phone/tablet/apple tv/etc I set eth1 address as Router, so all traffic should be redirected trough VPN.
On the remote side (it's a VPS) I have eth0 (main internet) and wg0 (192.168.99.2).
All what I currently did is that I successfully set up Wireguard interfaces on the both side (I can ping each other).
Route table:
default via 192.168.1.1 dev eth0 onlink
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.54
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.55
192.168.99.0/24 dev wg0 proto kernel scope link src 192.168.99.1
linux routing vpn
asked Dec 15 '17 at 15:23
user66638
1011
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have 3 NIC in my system: eth0 (192.168.1.54), eth1(192.168.1.55), wg0 (VPN, 192.168.99.1)
I'm looking for a way to route all eth1 traffic (tcp and udp) over wg0 (Wireguard VPN).
What I am trying to achieve is that on my phone/tablet/apple tv/etc I set eth1 address as Router, so all traffic should be redirected trough VPN.
On the remote side (it's a VPS) I have eth0 (main internet) and wg0 (192.168.99.2).
All what I currently did is that I successfully set up Wireguard interfaces on the both side (I can ping each other).
Route table:
default via 192.168.1.1 dev eth0 onlink
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.54
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.55
192.168.99.0/24 dev wg0 proto kernel scope link src 192.168.99.1
linux routing vpn
asked Dec 15 '17 at 15:23
user66638
1011
I have 3 NIC in my system: eth0 (192.168.1.54), eth1(192.168.1.55), wg0 (VPN, 192.168.99.1)
I'm looking for a way to route all eth1 traffic (tcp and udp) over wg0 (Wireguard VPN).
What I am trying to achieve is that on my phone/tablet/apple tv/etc I set eth1 address as Router, so all traffic should be redirected trough VPN.
On the remote side (it's a VPS) I have eth0 (main internet) and wg0 (192.168.99.2).
All what I currently did is that I successfully set up Wireguard interfaces on the both side (I can ping each other).
Route table:
default via 192.168.1.1 dev eth0 onlink
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.54
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.55
192.168.99.0/24 dev wg0 proto kernel scope link src 192.168.99.1
linux routing vpn
asked Dec 15 '17 at 15:23
user66638
1011
asked Dec 15 '17 at 15:23
user66638
1011
asked Dec 15 '17 at 15:23
user66638
1011
asked Dec 15 '17 at 15:23
user66638
1011
1011
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
You don't need two Ethernet interfaces. Define a host route via 192.168.1.1 to the public IP of the VPN server, and point the default route to the remote end of the tunnel (192.168.99.2). Make the default route on the other devices on your LAN point to 192.168.1.54. Remember to enable packet forwarding on your PC (sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1).
EDIT: You cannot achieve the solution you are looking for with IPv4 classic routing, since classic routing is only concerned with where a packet is going, not its history, like which interface it was received on, or the source address. You will have to use Policy Routing to be able to classify packets based on the interface they were received on. Based on this classification you can then use an alternate routing table for routing, which, for example, defines a default route through your VPN tunnel.
To use policy routing, you should add an entry (vpn) to /etc/iproute2/rt_tables:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
1 vpn
This gives the name vpn to routing table number 1.
Next, add the following policy rule:
ip rule add unicast iif eth1 table vpn
This rule effectively says "if the packet comes in on interface eth1, use routing table vpn".
You can check the rules with ip rule show:
ip rule show
0: from all lookup local
32765: from all iif eth1 lookup vpn
32766: from all lookup main
32767: from all lookup default
The rules are applied in ascending order, until a rule matches. If a packet is received on interfave eth1, rule 32765 matches, else the next rules are tried.
You can now add routes to the vpn routing table. For example, to add a default route to your tunnel:
ip route add default dev wg0 via 192.168.99.2 table vpn
To print the vpn routing table, use
ip route show table vpn
Now, I haven't been able to actually test this, so there may be errors or some details missing. For more information on policy routing, see https://www.policyrouting.org or https://linux-ip.net.
answered Dec 15 '17 at 20:40
Johan Myréen
6,92211322
Can you be a little bit more specific about routing? I have two interface, because there are other services running on this server (.54) which must be not affected in any way. "Define a host route" you mean I should create a static routing in my router (1.1) to the remote side 99.2? I can create a static routing for whole network only 99.0/24.
– user66638
Dec 15 '17 at 21:30
Point the default route to the remote end of the tunnel (192.168.99.2). --> I want to redirect only the eth1 traffic, not the whole network on the server.
– user66638
Dec 15 '17 at 21:52
Packet forwarding is based on routes, not interfaces. Routing tables are per host. Using basic routing, any packet received on any interface is subject to a routing decision based on the destination address. Please give more detail on what you want to achieve. Policy based routing might be the solution to your problem.
– Johan Myréen
Dec 16 '17 at 11:24
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You don't need two Ethernet interfaces. Define a host route via 192.168.1.1 to the public IP of the VPN server, and point the default route to the remote end of the tunnel (192.168.99.2). Make the default route on the other devices on your LAN point to 192.168.1.54. Remember to enable packet forwarding on your PC (sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1).
EDIT: You cannot achieve the solution you are looking for with IPv4 classic routing, since classic routing is only concerned with where a packet is going, not its history, like which interface it was received on, or the source address. You will have to use Policy Routing to be able to classify packets based on the interface they were received on. Based on this classification you can then use an alternate routing table for routing, which, for example, defines a default route through your VPN tunnel.
To use policy routing, you should add an entry (vpn) to /etc/iproute2/rt_tables:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
1 vpn
This gives the name vpn to routing table number 1.
Next, add the following policy rule:
ip rule add unicast iif eth1 table vpn
This rule effectively says "if the packet comes in on interface eth1, use routing table vpn".
You can check the rules with ip rule show:
ip rule show
0: from all lookup local
32765: from all iif eth1 lookup vpn
32766: from all lookup main
32767: from all lookup default
The rules are applied in ascending order, until a rule matches. If a packet is received on interfave eth1, rule 32765 matches, else the next rules are tried.
You can now add routes to the vpn routing table. For example, to add a default route to your tunnel:
ip route add default dev wg0 via 192.168.99.2 table vpn
To print the vpn routing table, use
ip route show table vpn
Now, I haven't been able to actually test this, so there may be errors or some details missing. For more information on policy routing, see https://www.policyrouting.org or https://linux-ip.net.
answered Dec 15 '17 at 20:40
Johan Myréen
6,92211322
Can you be a little bit more specific about routing? I have two interface, because there are other services running on this server (.54) which must be not affected in any way. "Define a host route" you mean I should create a static routing in my router (1.1) to the remote side 99.2? I can create a static routing for whole network only 99.0/24.
– user66638
Dec 15 '17 at 21:30
Point the default route to the remote end of the tunnel (192.168.99.2). --> I want to redirect only the eth1 traffic, not the whole network on the server.
– user66638
Dec 15 '17 at 21:52
Packet forwarding is based on routes, not interfaces. Routing tables are per host. Using basic routing, any packet received on any interface is subject to a routing decision based on the destination address. Please give more detail on what you want to achieve. Policy based routing might be the solution to your problem.
– Johan Myréen
Dec 16 '17 at 11:24
add a comment |Â
up vote
0
down vote
You don't need two Ethernet interfaces. Define a host route via 192.168.1.1 to the public IP of the VPN server, and point the default route to the remote end of the tunnel (192.168.99.2). Make the default route on the other devices on your LAN point to 192.168.1.54. Remember to enable packet forwarding on your PC (sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1).
EDIT: You cannot achieve the solution you are looking for with IPv4 classic routing, since classic routing is only concerned with where a packet is going, not its history, like which interface it was received on, or the source address. You will have to use Policy Routing to be able to classify packets based on the interface they were received on. Based on this classification you can then use an alternate routing table for routing, which, for example, defines a default route through your VPN tunnel.
To use policy routing, you should add an entry (vpn) to /etc/iproute2/rt_tables:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
1 vpn
This gives the name vpn to routing table number 1.
Next, add the following policy rule:
ip rule add unicast iif eth1 table vpn
This rule effectively says "if the packet comes in on interface eth1, use routing table vpn".
You can check the rules with ip rule show:
ip rule show
0: from all lookup local
32765: from all iif eth1 lookup vpn
32766: from all lookup main
32767: from all lookup default
The rules are applied in ascending order, until a rule matches. If a packet is received on interfave eth1, rule 32765 matches, else the next rules are tried.
You can now add routes to the vpn routing table. For example, to add a default route to your tunnel:
ip route add default dev wg0 via 192.168.99.2 table vpn
To print the vpn routing table, use
ip route show table vpn
Now, I haven't been able to actually test this, so there may be errors or some details missing. For more information on policy routing, see https://www.policyrouting.org or https://linux-ip.net.
answered Dec 15 '17 at 20:40
Johan Myréen
6,92211322
Can you be a little bit more specific about routing? I have two interface, because there are other services running on this server (.54) which must be not affected in any way. "Define a host route" you mean I should create a static routing in my router (1.1) to the remote side 99.2? I can create a static routing for whole network only 99.0/24.
– user66638
Dec 15 '17 at 21:30
Point the default route to the remote end of the tunnel (192.168.99.2). --> I want to redirect only the eth1 traffic, not the whole network on the server.
– user66638
Dec 15 '17 at 21:52
Packet forwarding is based on routes, not interfaces. Routing tables are per host. Using basic routing, any packet received on any interface is subject to a routing decision based on the destination address. Please give more detail on what you want to achieve. Policy based routing might be the solution to your problem.
– Johan Myréen
Dec 16 '17 at 11:24
add a comment |Â
up vote
0
down vote
up vote
0
down vote
You don't need two Ethernet interfaces. Define a host route via 192.168.1.1 to the public IP of the VPN server, and point the default route to the remote end of the tunnel (192.168.99.2). Make the default route on the other devices on your LAN point to 192.168.1.54. Remember to enable packet forwarding on your PC (sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1).
EDIT: You cannot achieve the solution you are looking for with IPv4 classic routing, since classic routing is only concerned with where a packet is going, not its history, like which interface it was received on, or the source address. You will have to use Policy Routing to be able to classify packets based on the interface they were received on. Based on this classification you can then use an alternate routing table for routing, which, for example, defines a default route through your VPN tunnel.
To use policy routing, you should add an entry (vpn) to /etc/iproute2/rt_tables:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
1 vpn
This gives the name vpn to routing table number 1.
Next, add the following policy rule:
ip rule add unicast iif eth1 table vpn
This rule effectively says "if the packet comes in on interface eth1, use routing table vpn".
You can check the rules with ip rule show:
ip rule show
0: from all lookup local
32765: from all iif eth1 lookup vpn
32766: from all lookup main
32767: from all lookup default
The rules are applied in ascending order, until a rule matches. If a packet is received on interfave eth1, rule 32765 matches, else the next rules are tried.
You can now add routes to the vpn routing table. For example, to add a default route to your tunnel:
ip route add default dev wg0 via 192.168.99.2 table vpn
To print the vpn routing table, use
ip route show table vpn
Now, I haven't been able to actually test this, so there may be errors or some details missing. For more information on policy routing, see https://www.policyrouting.org or https://linux-ip.net.
answered Dec 15 '17 at 20:40
Johan Myréen
6,92211322
You don't need two Ethernet interfaces. Define a host route via 192.168.1.1 to the public IP of the VPN server, and point the default route to the remote end of the tunnel (192.168.99.2). Make the default route on the other devices on your LAN point to 192.168.1.54. Remember to enable packet forwarding on your PC (sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1).
EDIT: You cannot achieve the solution you are looking for with IPv4 classic routing, since classic routing is only concerned with where a packet is going, not its history, like which interface it was received on, or the source address. You will have to use Policy Routing to be able to classify packets based on the interface they were received on. Based on this classification you can then use an alternate routing table for routing, which, for example, defines a default route through your VPN tunnel.
To use policy routing, you should add an entry (vpn) to /etc/iproute2/rt_tables:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
1 vpn
This gives the name vpn to routing table number 1.
Next, add the following policy rule:
ip rule add unicast iif eth1 table vpn
This rule effectively says "if the packet comes in on interface eth1, use routing table vpn".
You can check the rules with ip rule show:
ip rule show
0: from all lookup local
32765: from all iif eth1 lookup vpn
32766: from all lookup main
32767: from all lookup default
The rules are applied in ascending order, until a rule matches. If a packet is received on interfave eth1, rule 32765 matches, else the next rules are tried.
You can now add routes to the vpn routing table. For example, to add a default route to your tunnel:
ip route add default dev wg0 via 192.168.99.2 table vpn
To print the vpn routing table, use
ip route show table vpn
Now, I haven't been able to actually test this, so there may be errors or some details missing. For more information on policy routing, see https://www.policyrouting.org or https://linux-ip.net.
answered Dec 15 '17 at 20:40
Johan Myréen
6,92211322
edited Dec 16 '17 at 16:13
answered Dec 15 '17 at 20:40
Johan Myréen
6,92211322
answered Dec 15 '17 at 20:40
Johan Myréen
6,92211322
answered Dec 15 '17 at 20:40
Johan Myréen
6,92211322
6,92211322
Can you be a little bit more specific about routing? I have two interface, because there are other services running on this server (.54) which must be not affected in any way. "Define a host route" you mean I should create a static routing in my router (1.1) to the remote side 99.2? I can create a static routing for whole network only 99.0/24.
– user66638
Dec 15 '17 at 21:30
Point the default route to the remote end of the tunnel (192.168.99.2). --> I want to redirect only the eth1 traffic, not the whole network on the server.
– user66638
Dec 15 '17 at 21:52
Packet forwarding is based on routes, not interfaces. Routing tables are per host. Using basic routing, any packet received on any interface is subject to a routing decision based on the destination address. Please give more detail on what you want to achieve. Policy based routing might be the solution to your problem.
– Johan Myréen
Dec 16 '17 at 11:24
add a comment |Â
Can you be a little bit more specific about routing? I have two interface, because there are other services running on this server (.54) which must be not affected in any way. "Define a host route" you mean I should create a static routing in my router (1.1) to the remote side 99.2? I can create a static routing for whole network only 99.0/24.
– user66638
Dec 15 '17 at 21:30
Point the default route to the remote end of the tunnel (192.168.99.2). --> I want to redirect only the eth1 traffic, not the whole network on the server.
– user66638
Dec 15 '17 at 21:52
Packet forwarding is based on routes, not interfaces. Routing tables are per host. Using basic routing, any packet received on any interface is subject to a routing decision based on the destination address. Please give more detail on what you want to achieve. Policy based routing might be the solution to your problem.
– Johan Myréen
Dec 16 '17 at 11:24
Can you be a little bit more specific about routing? I have two interface, because there are other services running on this server (.54) which must be not affected in any way. "Define a host route" you mean I should create a static routing in my router (1.1) to the remote side 99.2? I can create a static routing for whole network only 99.0/24.
– user66638
Dec 15 '17 at 21:30
Can you be a little bit more specific about routing? I have two interface, because there are other services running on this server (.54) which must be not affected in any way. "Define a host route" you mean I should create a static routing in my router (1.1) to the remote side 99.2? I can create a static routing for whole network only 99.0/24.
– user66638
Dec 15 '17 at 21:30
Point the default route to the remote end of the tunnel (192.168.99.2). --> I want to redirect only the eth1 traffic, not the whole network on the server.
– user66638
Dec 15 '17 at 21:52
Point the default route to the remote end of the tunnel (192.168.99.2). --> I want to redirect only the eth1 traffic, not the whole network on the server.
– user66638
Dec 15 '17 at 21:52
Packet forwarding is based on routes, not interfaces. Routing tables are per host. Using basic routing, any packet received on any interface is subject to a routing decision based on the destination address. Please give more detail on what you want to achieve. Policy based routing might be the solution to your problem.
– Johan Myréen
Dec 16 '17 at 11:24
Packet forwarding is based on routes, not interfaces. Routing tables are per host. Using basic routing, any packet received on any interface is subject to a routing decision based on the destination address. Please give more detail on what you want to achieve. Policy based routing might be the solution to your problem.
– Johan Myréen
Dec 16 '17 at 11:24
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f411081%2froute-all-eth1-traffic-over-vpn%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
