Home / server / Questions / 1084247
In Process
T0maas
Asked: 2021-11-23 02:50:42 +0800 CST

How to route lan trafic over VPN

  • 772

I have two computers connected to same VPN (hamachi) network. There are in different places. Lets say I have this addresses:

Machine A: (rpi zero - using wifi)

wlan0:
    inet 192.168.2.160  netmask 255.255.255.0

ham0:
    inet 25.61.150.71  netmask 255.0.0.0

Machine B (laptop - using wifi):

wlan0:
    inet 192.168.0.103  netmask 255.255.255.0

ham0:
    inet 25.72.151.72  netmask 255.0.0.0

Each machine can ping each other. But what must I do if I want to access some other machine on Machine A network from Machine B?

For example on Machine B:

ping 192.168.2.123

192.168.2.123 is located on Machine A LAN.

I've tried this:

Machine A (as root):

LAN=wlan0
HAM=ham0

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $LAN -j MASQUERADE  
iptables -A FORWARD -i $LAN -o $HAM -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $HAM -o $LAN -j ACCEPT

Machine B:

sudo ip route add 192.168.2.0/24 via 25.61.150.71

But without success.

I cant ping 192.168.2.123 from machine B.

How can I do this properly?

Edit: Commands written above seems to be correct. I've tested similar setup with freelan vpn instead of hamachi and it works.

vpn routing local-area-network

1 Answers

  1. The solution is actually a bit more straitforward.

    Ignore the iptables commands on machine A for now as that is about hiding your subnet 192.168.2.0/24 behind a NAT.

    Instead focus on what is actually going on when you do a ping command.

    When you send a ping to a remote ip you actually need to inform both machine A and machine B how to get the respective networks 192.168.0.0/24 and 192.168.2.0/24.

    You got the first part right about telling machine B that in order to ping anything on 192.168.2.0/24 it has to go through 25.61.150.71.

    That is what you did in the command:

    machineB> sudo ip route add 192.168.2.0/24 via 25.61.150.71

    This is possible since machine A and machine B is on the same subnet provided by Hamachi.

    But any ping command also needs to send a reply back, so how does the machine A know where the network 192.168.0.0/24 is located?

    You can tell machine A that the subnet 192.168.0.0/24 is located behind 25.72.151.72.

    This leads the the following command:

    machineA> sudo ip route add 192.168.0.0/24 via 25.72.151.72

    However we are not quite out of the woods yet, since even though machine A and machine B knows where to send traffic to any host belonging to either net we still have the challange of how does any other host belonging to the 192.168.0.0/24 know how to contact 192.168.2.0/24?

    If machine A and machine B is not the default gateway for their networks, then we need to add a static route to the default gateway on either net.

    For machine A's default router we need to tell that 192.168.0.0/24 is reachable through 192.168.2.160.

    Similar we need to tell machine B's default router that 192.168.2.0/24 is reachable through 192.168.0.103.

    After all this is done you should be able to ping from any host belonging to either net to any host belonging to the other net.

    • 1