Iptables split traffic through VPN and home network

iptables vpn openvpn raspberry-pi

I am using an Raspberry pi as my router to serve my pc and an ioT device. The connection diagram is as below: network setup The RPi has two ethernet port, eth1 connected to my home network 192.168.1.0/24, eth2 is connected to a switch, my pc and an ioT device is connecting to that switch. On the RPi, dnsmasq is used as DHCP and DNS server to assign ip addresses to my PC and ioT device. Openvpn client is setup to connect to the remote VPN server (corporate network). What I am trying to achieve is to only direct some of the traffic through my VPN (tun0) while most of other traffic is via my home network.

My iptables setting is as below:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth0 -o tun0 -d 10.1.0.0/16 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -d 10.2.0.0/16 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

When openvpn connection is established, I can talk to the corporate (from my pc) without any issue. However, all traffics are all route through the VPN tun0, and I couldn't access to the home network (from my pc). I guess that is something to do with my iptables setting, any advice?

Edit: add OpenVPN config below

dev tun
client
proto tcp
<ca>
-----BEGIN CERTIFICATE-----
==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
==
-----END PRIVATE KEY-----
</key>
remote-cert-eku "TLS Web Server Authentication"
remote example-domain.com 443

route-nopull
route 10.1.0.0 255.255.0.0 10.0.0.1
route 10.2.0.0 255.255.0.0 10.0.0.1

dhcp-option DNS 10.1.0.253
dhcp-option DNS 10.1.0.254
dhcp-option WINS 10.1.0.253
dhcp-option WINS 10.1.0.254
dhcp-option DOMAIN internal.example-domain.com
block-outside-dns

redirect-gateway def1
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA256
float
reneg-sec 3660
nobind
mute-replay-warnings
auth-user-pass

The entry in your OpenVPN configuration file that's responsible for handling the default routing is this one

redirect-gateway def1

It tells the OpenVPN client to redirect all traffic through the OpenVPN gateway.

If you want to control which routes are sent through the OpenVPN tunnel the keyword is route. It can be repeated multiple times, once per subnet. For example, to send everything in the 10.0.0.0/8 and 192.168.77.0/24 subnets across the tunnel, while leaving everything else to route via your LAN and LAN gateway you could use this configuration setting instead of the redirect-gateway one

# route network/IP [netmask] [gateway] [metric]
route 10.0.0.0 255.0.0.0
route 192.168.77.0 255.255.255.0

In your case the routing is already specified, so you simply need to comment out the redirect-gateway line and restart your VPN connection.

Related

Why do I have to reboot my router occasionally to stop gradual network degradation?
Ubuntu on Virtualbox screen is too small, can't change resolution
Do apps on an SSD run faster even if windows is on a separate HDD? [closed]
From a list to a table
Can wider subnetmask create problems in accessing some websites?
Formula to create a cartesian product from two data sets in a spilled range
How to drag text in "enhanced" textareas?
Windows 7: Connect to Android device using WPA2 PSK
Can one Ethernet cable supply internet and an SSH connection?
Access Windows 10 & create new local user account, not knowing old passwords nor admin [duplicate]
Firefox touchpad pinch to zoom not working but touch pinch to zoom works on Linux
How can I replace a newline with its escape sequence?