How to share linux shrew soft vpn tap device with local QEMU VMs
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
host (Ubuntu 16.04) has QEMU guest:
host-guest NAT network 192.168.100.0/24 IFs:
- virbr2: host
- virbr2-nic: guest
Host also has:
- eno1: connecting to public internet router. Subnet 192.168.1.0/24
- tap0: shrew soft vpn subnet 192.168.200.0/24 with fixed ip 192.168.200.20
host /proc/sys/net/ipv4/ip_forward is 1.
- Pings from guest to public internet router are answered just fine, NAT works.
- Pings from host to some vpn-peer also work out fine.
- Pings from guest to some vpn-peer miss the final telegram back to the guest:
Wireshark shows the ping-reply from the vpn-peer to the host's tap0 but the ping-reply is not relayed back to the guest.
There is no special handling for the tap0 in iptables.
Whats wrong, how do I fix this?
Update:
Found a thread describing a similar problem (no solution yet):
http://www.spinics.net/lists/netfilter/msg54779.html
Do iptables need to know some ipsec details do succeed SNATing back to the guest?
networking iptables virtual-machine vpn ipsec
add a comment |Â
up vote
0
down vote
favorite
host (Ubuntu 16.04) has QEMU guest:
host-guest NAT network 192.168.100.0/24 IFs:
- virbr2: host
- virbr2-nic: guest
Host also has:
- eno1: connecting to public internet router. Subnet 192.168.1.0/24
- tap0: shrew soft vpn subnet 192.168.200.0/24 with fixed ip 192.168.200.20
host /proc/sys/net/ipv4/ip_forward is 1.
- Pings from guest to public internet router are answered just fine, NAT works.
- Pings from host to some vpn-peer also work out fine.
- Pings from guest to some vpn-peer miss the final telegram back to the guest:
Wireshark shows the ping-reply from the vpn-peer to the host's tap0 but the ping-reply is not relayed back to the guest.
There is no special handling for the tap0 in iptables.
Whats wrong, how do I fix this?
Update:
Found a thread describing a similar problem (no solution yet):
http://www.spinics.net/lists/netfilter/msg54779.html
Do iptables need to know some ipsec details do succeed SNATing back to the guest?
networking iptables virtual-machine vpn ipsec
Did you find a solution to this problem?
â Donbhupi
Aug 26 at 13:24
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
host (Ubuntu 16.04) has QEMU guest:
host-guest NAT network 192.168.100.0/24 IFs:
- virbr2: host
- virbr2-nic: guest
Host also has:
- eno1: connecting to public internet router. Subnet 192.168.1.0/24
- tap0: shrew soft vpn subnet 192.168.200.0/24 with fixed ip 192.168.200.20
host /proc/sys/net/ipv4/ip_forward is 1.
- Pings from guest to public internet router are answered just fine, NAT works.
- Pings from host to some vpn-peer also work out fine.
- Pings from guest to some vpn-peer miss the final telegram back to the guest:
Wireshark shows the ping-reply from the vpn-peer to the host's tap0 but the ping-reply is not relayed back to the guest.
There is no special handling for the tap0 in iptables.
Whats wrong, how do I fix this?
Update:
Found a thread describing a similar problem (no solution yet):
http://www.spinics.net/lists/netfilter/msg54779.html
Do iptables need to know some ipsec details do succeed SNATing back to the guest?
networking iptables virtual-machine vpn ipsec
host (Ubuntu 16.04) has QEMU guest:
host-guest NAT network 192.168.100.0/24 IFs:
- virbr2: host
- virbr2-nic: guest
Host also has:
- eno1: connecting to public internet router. Subnet 192.168.1.0/24
- tap0: shrew soft vpn subnet 192.168.200.0/24 with fixed ip 192.168.200.20
host /proc/sys/net/ipv4/ip_forward is 1.
- Pings from guest to public internet router are answered just fine, NAT works.
- Pings from host to some vpn-peer also work out fine.
- Pings from guest to some vpn-peer miss the final telegram back to the guest:
Wireshark shows the ping-reply from the vpn-peer to the host's tap0 but the ping-reply is not relayed back to the guest.
There is no special handling for the tap0 in iptables.
Whats wrong, how do I fix this?
Update:
Found a thread describing a similar problem (no solution yet):
http://www.spinics.net/lists/netfilter/msg54779.html
Do iptables need to know some ipsec details do succeed SNATing back to the guest?
networking iptables virtual-machine vpn ipsec
edited Dec 15 '17 at 11:34
asked Dec 15 '17 at 0:03
user771723
12
12
Did you find a solution to this problem?
â Donbhupi
Aug 26 at 13:24
add a comment |Â
Did you find a solution to this problem?
â Donbhupi
Aug 26 at 13:24
Did you find a solution to this problem?
â Donbhupi
Aug 26 at 13:24
Did you find a solution to this problem?
â Donbhupi
Aug 26 at 13:24
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410963%2fhow-to-share-linux-shrew-soft-vpn-tap-device-with-local-qemu-vms%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Did you find a solution to this problem?
â Donbhupi
Aug 26 at 13:24