Routing traffic from VPN to different network device

Finally i got OpenVPN up running, but now i really miss accessing all my webservices (apache, ftp, ssh etc.) through the VPN server. Is there a simple way to route all traffic from my wlan1 device to tap0?

server.conf:

port 1193
proto tcp
dev tap0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
script-security 2

I was actually hoping that this forward would solve the problem but this was not the case:

/sbin/iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE
/sbin/iptables -A FORWARD -i wlan -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Setup:

This is basically my setup: DSL router -> Wireless router -> Ubuntu server.

On Ubuntu server i have hosted apache, ssh, and other server applications and services. When a client access my server by VPN, i would like to access all these services.


You still haven't provided much detail, so I'm going to guess that your setup is as follows. You usually access services on your server by its public IP (or a hostname which resolves to it), e.g. http://1.2.3.4/. When you start the VPN, OpenVPN connects to that same public IP 1.2.3.4, and while the VPN is up you access services using the server's private VPN IP, e.g. http://10.8.0.1/. You want to be able to use the public IP regardless of whether the VPN is up or not.

The best solution is to use a separate IP for the OpenVPN server because it greatly simplifies the routing. I'm assuming you don't have this option however.

The problem is that even when you're routing all traffic over the VPN, traffic to the VPN server's public IP must be routed out the default gateway in order for the encrypted VPN packets to actually get there. The routing table looks something like this:

192.168.0.0/24 dev eth0
1.2.3.4/32 via 192.168.0.1
10.8.0.1/32 dev tun0
default via 10.8.0.1

Since the other services you're trying to access use the same IP as the VPN server they also get routed directly out the default gateway. The only way around this is to use port-based routing, which is setup like this:

  1. Create a new routing table (only needs to be done once):

    echo 1 vpn >> /etc/iproute2/rt_table
    
  2. Route everything using this new table via the VPN:

    ip route add default via 10.8.0.1 table vpn
    
  3. Tell the kernel to use this new table for all packets with a specific firewall mark:

    ip rule add fwmark 0x01 lookup vpn
    
  4. Setup firewall rules to mark the packets you want to route via the VPN:

    iptables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 0x01
    iptables -t mangle -A OUTPUT -p udp ! --dport 1193 -j MARK --set-mark 0x01
    

You'll probably want to set this up in an up script on the client, and tear it down in a down script.