How to configure an OpenVPN Client Router

networking iptables vpn openvpn network-bridge

I am attempting to set up an OpenVPN Router so that I may connect my tablet (wireless) and Blu-Ray (wired) to a paid VPN service in another country on Ubuntu 12.10. I have successfully done this using DD-WRT (too slow) and a virtual instance of PFSense (too limited).

I'm new to Linux, but I'm 90% complete with this project. Hardware is 2 wired ethernet ports, one of which is connected to a traditional home router, and a wireless card.

So far I have..

  1. Set up my wireless to act as a true Master Access point using hostapd
  2. Created a bridge (I think) between the Wireless and Local LAN
  3. Set up a DHCP server that is successfully assigning addresses to the bridge - both wireless and wired are getting them.
  4. Set up OpenVPN so that it successfully creates a tunneled connection upon boot.

Current behavior routes all traffic from my Ubuntu machine to the VPN server. The other devices do NOT have any connectivity, and that's the issue.

My Question/Goal:

How do I configure the routing so that OpenVPN only directs traffic from my bridge (devices under 192.168.10.x) through the VPN tunnel and NOT traffic from the actual Ubuntu computer?

OpenVPN sets up some routes automatically, but it seems to ignore the bridge I set up.

I have read a lot of documentation on iptables and route but it makes very little sense to me. Despite multiple tutorials, I still don't understand how to read the results from the route command. I also suspect this can be accomplished with route-noexec and route-up in the OpenVPN configuration file, but nothing has been successful.

My knowledge of where configuration files and settings are is limited. The above tasks took me at least 30 hours of tinkering, so please go easy on me :)

Thanks!

Edit

I've posted a solution below that directs the bridge traffic, but it doesn't prevent traffic on the Ubuntu computer from going through the VPN.


Solution 1:

I'm not sure this is ideal, but it's at least working. In a perfect world, the traffic on the Ubuntu computer would not route through the VPN - only those devices connected to the Ubuntu computer. Anyways, here's the solution..

In the openvpn.conf file

script-security 2
up "/path/to/external/script.sh"

In the /path/to/external/script.sh file

iptables -A FORWARD -o tun0 -i br0 -s 192.168.10.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

In the above, tun0 is the tunnel created by OpenVPN, br0 is the bridge between my local wireless and local lan, and 192.168.10.0/24 is the subnet/DHCP pool for my local lan.

I have no idea what that script does but I cobbled it together from a few sites on Internet Connection Sharing.

I'll leave this answer un-checked in case anyone wants to provide a better one or explain how to prevent traffic on the Ubuntu computer from going through the VPN.

Related

VoIP on Ubuntu for phones
Ubuntu Touch running on Fairphone - are there agreements?
Alt+Tab task switcher on all monitors
RAID1 "conflicting device node" message on startup
How do I reorder the Nautilus right-click menu?
USB sticks not accessible & system hangs at shut-down: related to older hardware?
How to add shutdown option to the Ubuntu lock screen?
How can I set custom ringtone for a single contact?
Ubuntu support for 5K (Dell UP2715K): adjusting details
How do I preseed encrypting just the root partition?
GitKraken and Kubuntu - installs but doesn't run
How to install Ubuntu on the Raspberry Pi 3?