iptables and VPN split tunneling

**ractive74** · January 21st, 2018

So I'm setting up a VPN split-tunnel for my box (raspberry pi 3/Debian stretch) so network traffic for user 'vpn' goes through interface 'tun0' and traffic for other users go through 'eth0'. I've followed this guide: https://www.htpcguides.com/force-tor...-ubuntu-16-04/ and had no problems getting it all working fine. User 'vpn' gets the openvpn (tun0) IP and others get the regular IP. I'm running aria2c (a torrenting client) as user 'vpn'. The problem is that aria2c has a RPC deamon that I can connect to to control, view, add, pause, etc the downloads that runs on port 6800 by default, and I can't connect to it with this setup from my lan (I think because I'm trying to connect to 192.168.1.43 and the RPC server is running on the VPN ip) So...all that said I think I need a way to forward port 6800 from eth0 to tun0, but I have no clue how to do that... I'm not familiar with iptables as I have been very lazy and just used ufw to configure firewalls.

here are my current iptables rules (copied direct from the guide)

Code:

#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com

export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.43"
export NETIF="eth0"

# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter

# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT

# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT

# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT

# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE

# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT

# Start routing script
/etc/openvpn/routing.sh

exit 0

here is the routing stuff:

Code:

#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com

VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache

# run update-resolv-conf script to set VPN DNS
/etc/openvpn/update-resolv-conf

exit 0

and the routing table:

Code:

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
200     vpn

and here is the output of iptables -L

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-recidive  tcp  --  anywhere             anywhere            
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports 2222
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             owner UID match vpn
ACCEPT     all  --  anywhere             anywhere             owner UID match vpn
REJECT     all  -- !192.168.1.43         anywhere             reject-with icmp-port-unreachable

Chain f2b-recidive (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain monitorix_IN_0 (0 references)
target     prot opt source               destination         

Chain monitorix_IN_1 (0 references)
target     prot opt source               destination         

Chain monitorix_IN_2 (0 references)
target     prot opt source               destination         

Chain monitorix_IN_3 (0 references)
target     prot opt source               destination         

Chain monitorix_IN_4 (0 references)
target     prot opt source               destination         

Chain monitorix_IN_5 (0 references)
target     prot opt source               destination         

Chain monitorix_IN_6 (0 references)
target     prot opt source               destination         

Chain monitorix_IN_7 (0 references)
target     prot opt source               destination         

Chain monitorix_IN_8 (0 references)
target     prot opt source               destination

So any help I can get would be very much appreciated. Thank you.

**howefield** · January 21st, 2018

Thread moved to the "Debian" forum.

Thread: iptables and VPN split tunneling

Thread Tools

Display

iptables and VPN split tunneling

Re: iptables and VPN split tunneling

Bookmarks

Bookmarks

Posting Permissions