Hi everyboody.
I just want to check with you if the config i have made is correct.
I have my goflex with archlinux installed on it. The NAS is connected to the router (router IP is 192.168.100.1)- the NAS IP is 192.168.100.107.
I have the dyndns established so i can connect remotely to my NAS via dlinkddns address. On my router there is the port forwarding set up so all the packets are reaching the NAS and i can use PyLoad and other similar services.
Now i want to establish the openvpn connection from my GoFlex so all the transferr from and to it is secure. Easy enough - i'm just using the
$this->bbcode_second_pass_code('', ' openvpn servername.ovpn ')
And this is working well - i'm being connected, my address is changed and everybody's happy. But now when i'm trying to connect to my NAS via ddns - it is not giving me the connection. Basically what is happening - i'm sending request via my usuall IP and the NAS is sending the response via my openvpn.
Just for a record these are some basic infos from my machine after openvpn connection:
$this->bbcode_second_pass_code('', '
[root@alarm ~]# ip route
0.0.0.0/1 via 10.200.4.1 dev tun0
default via 192.168.100.1 dev eth0 metric 202
10.200.4.0/22 dev tun0 proto kernel scope link src 10.200.5.8
77.92.92.161 via 192.168.100.1 dev eth0
128.0.0.0/1 via 10.200.4.1 dev tun0
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.107 metric 202
---------
---------
[root@alarm ~]# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
')
Now i removed the 0.0.0.0/1 via 10.200.4.1 dev tun0 rule:
$this->bbcode_second_pass_code('', 'ip route del 0.0.0.0/1 via 10.200.4.1 dev tun0')
And i added 2 new tables called - moja and mvpn in the /etc/iproute2/rt_tables file.
Then i set up (i think) source based routing - based on interface - saying that all the traffic comming from eth0 is responding to eth0 and all the traffic comming from tun0 is responding through tun0. :
$this->bbcode_second_pass_code('', '
ip rule add dev tun0 table mvpn
ip route add default dev tun0 table mvpn
ip rule add dev eth0 table moja
ip route add default dev eth0 table moja
ip route flush cache
')
This seems to work, i mean now when i'm ssh from my NAS and check ipecho.net it gives me different ip (vpn ip) than when i'm checking it via my laptop. So this would be my downloading IP.
My only concern is how to check what is my uploading IP?
And assuming it's ok how to make this whole procedure more automacic - preferably together with openvpn connection ? Any tips or ideas?
Ok maybe i'll post the final configs:
$this->bbcode_second_pass_code('', '
[root@alarm ~]# ip route
default via 192.168.100.1 dev eth0 metric 202
10.200.4.0/22 dev tun0 proto kernel scope link src 10.200.5.8
77.92.92.161 via 192.168.100.1 dev eth0
128.0.0.0/1 via 10.200.4.1 dev tun0
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.107 metric 202
------------
-----------
[root@alarm ~]# ip rule
0: from all lookup local
32764: from all iif eth0 lookup moja
32765: from all iif tun0 lookup mvpn
32766: from all lookup main
32767: from all lookup default
')
Cheers,
Edit:
Ok, what i did is i putty to my NAS and then i ssd to my dyn-dns addres - after that i have checked the ssh log file (var/logs/auth.log) and the ip was as my originall ip (not the vpn one) so it might be i set it up wrongly.
Any ideas.
Advenced routing set up, and make it automatic.
2 posts
• Page 1 of 1
Advenced routing set up, and make it automatic.
by majkelos » Mon Jan 14, 2013 5:42 am
- majkelos
- Posts: 12
- Joined: Thu Jan 10, 2013 3:36 am
Re: Advenced routing set up, and make it automatic.
by majkelos » Mon Jan 28, 2013 4:08 am
Hi Guys,
So i finally managed to get this one working - it was propably working even before but still.
1. The bottom line is that i could have just connect to my vpn address straight away and it would work. But with random VPN addresses it wouldn't be so desirable for me.
2. The way i managed to do it is by using packet marking with iptables:
a. First i setup the table "aa" in iptoute tables (edditing /etc/iproute/rt_tables file)
b. Then i set up the rule and route for this table:
$this->bbcode_second_pass_code('', '
ip route add default via 192.168.100.1 dev eth0 table aa
ip rule add from all fwmark 0x1 lookup aa
')
rule is saying that every packed marked with 0x1 will go using the route defined in table aa.
And table aa route is saying that all the traffic will go through usuall gatweay and my usual interface.
3. Now, because i know which ports i'm about to access i can mark pacets going out through specific ports as below:
$this->bbcode_second_pass_code('', '
iptables -t mangle -A OUTPUT -p tcp --dport 9091 ! -d 192.168.100.0/24 -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -p tcp --sport 9091 ! -d 192.168.100.0/24 -j MARK --set-mark 0x1
')
This one is saying simply that all the OUTPUT packets going through port 9091 will be marked with 0x1.
Only trick here is ! -d 192.168.100.0/24, this one is just saying to ignore my local network during marking.
To make this persistent we need to:
1. for ip tables edit file /etc/iptables/iptables.rules and add following lines into it:
$this->bbcode_second_pass_quote('', '
')iptables -t mangle -A OUTPUT -p tcp --dport 9091 ! -d 192.168.100.0/24 -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -p tcp --sport 9091 ! -d 192.168.100.0/24 -j MARK --set-mark 0x1
So i finally managed to get this one working - it was propably working even before but still.
1. The bottom line is that i could have just connect to my vpn address straight away and it would work. But with random VPN addresses it wouldn't be so desirable for me.
2. The way i managed to do it is by using packet marking with iptables:
a. First i setup the table "aa" in iptoute tables (edditing /etc/iproute/rt_tables file)
b. Then i set up the rule and route for this table:
$this->bbcode_second_pass_code('', '
ip route add default via 192.168.100.1 dev eth0 table aa
ip rule add from all fwmark 0x1 lookup aa
')
rule is saying that every packed marked with 0x1 will go using the route defined in table aa.
And table aa route is saying that all the traffic will go through usuall gatweay and my usual interface.
3. Now, because i know which ports i'm about to access i can mark pacets going out through specific ports as below:
$this->bbcode_second_pass_code('', '
iptables -t mangle -A OUTPUT -p tcp --dport 9091 ! -d 192.168.100.0/24 -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -p tcp --sport 9091 ! -d 192.168.100.0/24 -j MARK --set-mark 0x1
')
This one is saying simply that all the OUTPUT packets going through port 9091 will be marked with 0x1.
Only trick here is ! -d 192.168.100.0/24, this one is just saying to ignore my local network during marking.
To make this persistent we need to:
1. for ip tables edit file /etc/iptables/iptables.rules and add following lines into it:
$this->bbcode_second_pass_quote('', '
')iptables -t mangle -A OUTPUT -p tcp --dport 9091 ! -d 192.168.100.0/24 -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -p tcp --sport 9091 ! -d 192.168.100.0/24 -j MARK --set-mark 0x1
or simly use :
$this->bbcode_second_pass_quote('', '
')iptables-save > /etc/iptables/iptables.rules
2. for saving the routes and rules we'd need to edit /etc/network.d/wired-eth0 file(or whatever interface is that you'r using)
in the file i've added:
$this->bbcode_second_pass_code('', '
POST_UP='ip route add default via 192.168.100.1 dev eth0 table aa; ip rule add from all fwmark 0x1 lookup aa'
')
and that's all it's woring now like a charm.
And just a tip if you wan't to run a script just after the openvpn connection is established it can be done by edditing the client.conf file by adding:
$this->bbcode_second_pass_code('', '
script-security 2
up /etc/openvpn/ref_tr.sh
')
Just remember to chmod +x the script file.
Cheers
- majkelos
- Posts: 12
- Joined: Thu Jan 10, 2013 3:36 am