How to configure an OpenVPN Client Router
I am attempting to set up an OpenVPN Router so that I may connect my tablet (wireless) and Blu-Ray (wired) to a paid VPN service in another country on Ubuntu 12.10. I have successfully done this using DD-WRT (too slow) and a virtual instance of PFSense (too limited).
I'm new to Linux, but I'm 90% complete with this project. Hardware is 2 wired ethernet ports, one of which is connected to a traditional home router, and a wireless card.
So far I have..
- Set up my wireless to act as a true Master Access point using hostapd
- Created a bridge (I think) between the Wireless and Local LAN
- Set up a DHCP server that is successfully assigning addresses to the bridge - both wireless and wired are getting them.
- Set up OpenVPN so that it successfully creates a tunneled connection upon boot.
Current behavior routes all traffic from my Ubuntu machine to the VPN server. The other devices do NOT have any connectivity, and that's the issue.
My Question/Goal:
How do I configure the routing so that OpenVPN only directs traffic from my bridge (devices under 192.168.10.x) through the VPN tunnel and NOT traffic from the actual Ubuntu computer?
OpenVPN sets up some routes automatically, but it seems to ignore the bridge I set up.
I have read a lot of documentation on iptables
and route
but it makes very little sense to me. Despite multiple tutorials, I still don't understand how to read the results from the route
command. I also suspect this can be accomplished with route-noexec
and route-up
in the OpenVPN configuration file, but nothing has been successful.
My knowledge of where configuration files and settings are is limited. The above tasks took me at least 30 hours of tinkering, so please go easy on me :)
Thanks!
Edit
I've posted a solution below that directs the bridge traffic, but it doesn't prevent traffic on the Ubuntu computer from going through the VPN.
Solution 1:
I'm not sure this is ideal, but it's at least working. In a perfect world, the traffic on the Ubuntu computer would not route through the VPN - only those devices connected to the Ubuntu computer. Anyways, here's the solution..
In the openvpn.conf
file
script-security 2
up "/path/to/external/script.sh"
In the /path/to/external/script.sh
file
iptables -A FORWARD -o tun0 -i br0 -s 192.168.10.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
In the above, tun0
is the tunnel created by OpenVPN, br0
is the bridge between my local wireless and local lan, and 192.168.10.0/24
is the subnet/DHCP pool for my local lan.
I have no idea what that script does but I cobbled it together from a few sites on Internet Connection Sharing.
I'll leave this answer un-checked in case anyone wants to provide a better one or explain how to prevent traffic on the Ubuntu computer from going through the VPN.