How to share linux shrew soft vpn tap device with local QEMU VMs

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












host (Ubuntu 16.04) has QEMU guest:



host-guest NAT network 192.168.100.0/24 IFs:



  • virbr2: host

  • virbr2-nic: guest

Host also has:



  • eno1: connecting to public internet router. Subnet 192.168.1.0/24

  • tap0: shrew soft vpn subnet 192.168.200.0/24 with fixed ip 192.168.200.20

host /proc/sys/net/ipv4/ip_forward is 1.



  • Pings from guest to public internet router are answered just fine, NAT works.

  • Pings from host to some vpn-peer also work out fine.

  • Pings from guest to some vpn-peer miss the final telegram back to the guest:
    Wireshark shows the ping-reply from the vpn-peer to the host's tap0 but the ping-reply is not relayed back to the guest.

There is no special handling for the tap0 in iptables.



Whats wrong, how do I fix this?



Update:



Found a thread describing a similar problem (no solution yet):



http://www.spinics.net/lists/netfilter/msg54779.html



Do iptables need to know some ipsec details do succeed SNATing back to the guest?







share|improve this question






















  • Did you find a solution to this problem?
    – Donbhupi
    Aug 26 at 13:24














up vote
0
down vote

favorite












host (Ubuntu 16.04) has QEMU guest:



host-guest NAT network 192.168.100.0/24 IFs:



  • virbr2: host

  • virbr2-nic: guest

Host also has:



  • eno1: connecting to public internet router. Subnet 192.168.1.0/24

  • tap0: shrew soft vpn subnet 192.168.200.0/24 with fixed ip 192.168.200.20

host /proc/sys/net/ipv4/ip_forward is 1.



  • Pings from guest to public internet router are answered just fine, NAT works.

  • Pings from host to some vpn-peer also work out fine.

  • Pings from guest to some vpn-peer miss the final telegram back to the guest:
    Wireshark shows the ping-reply from the vpn-peer to the host's tap0 but the ping-reply is not relayed back to the guest.

There is no special handling for the tap0 in iptables.



Whats wrong, how do I fix this?



Update:



Found a thread describing a similar problem (no solution yet):



http://www.spinics.net/lists/netfilter/msg54779.html



Do iptables need to know some ipsec details do succeed SNATing back to the guest?







share|improve this question






















  • Did you find a solution to this problem?
    – Donbhupi
    Aug 26 at 13:24












up vote
0
down vote

favorite









up vote
0
down vote

favorite











host (Ubuntu 16.04) has QEMU guest:



host-guest NAT network 192.168.100.0/24 IFs:



  • virbr2: host

  • virbr2-nic: guest

Host also has:



  • eno1: connecting to public internet router. Subnet 192.168.1.0/24

  • tap0: shrew soft vpn subnet 192.168.200.0/24 with fixed ip 192.168.200.20

host /proc/sys/net/ipv4/ip_forward is 1.



  • Pings from guest to public internet router are answered just fine, NAT works.

  • Pings from host to some vpn-peer also work out fine.

  • Pings from guest to some vpn-peer miss the final telegram back to the guest:
    Wireshark shows the ping-reply from the vpn-peer to the host's tap0 but the ping-reply is not relayed back to the guest.

There is no special handling for the tap0 in iptables.



Whats wrong, how do I fix this?



Update:



Found a thread describing a similar problem (no solution yet):



http://www.spinics.net/lists/netfilter/msg54779.html



Do iptables need to know some ipsec details do succeed SNATing back to the guest?







share|improve this question














host (Ubuntu 16.04) has QEMU guest:



host-guest NAT network 192.168.100.0/24 IFs:



  • virbr2: host

  • virbr2-nic: guest

Host also has:



  • eno1: connecting to public internet router. Subnet 192.168.1.0/24

  • tap0: shrew soft vpn subnet 192.168.200.0/24 with fixed ip 192.168.200.20

host /proc/sys/net/ipv4/ip_forward is 1.



  • Pings from guest to public internet router are answered just fine, NAT works.

  • Pings from host to some vpn-peer also work out fine.

  • Pings from guest to some vpn-peer miss the final telegram back to the guest:
    Wireshark shows the ping-reply from the vpn-peer to the host's tap0 but the ping-reply is not relayed back to the guest.

There is no special handling for the tap0 in iptables.



Whats wrong, how do I fix this?



Update:



Found a thread describing a similar problem (no solution yet):



http://www.spinics.net/lists/netfilter/msg54779.html



Do iptables need to know some ipsec details do succeed SNATing back to the guest?









share|improve this question













share|improve this question




share|improve this question








edited Dec 15 '17 at 11:34

























asked Dec 15 '17 at 0:03









user771723

12




12











  • Did you find a solution to this problem?
    – Donbhupi
    Aug 26 at 13:24
















  • Did you find a solution to this problem?
    – Donbhupi
    Aug 26 at 13:24















Did you find a solution to this problem?
– Donbhupi
Aug 26 at 13:24




Did you find a solution to this problem?
– Donbhupi
Aug 26 at 13:24















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410963%2fhow-to-share-linux-shrew-soft-vpn-tap-device-with-local-qemu-vms%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410963%2fhow-to-share-linux-shrew-soft-vpn-tap-device-with-local-qemu-vms%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?