The following problem is just a piece of the bigger solution I have a problem with. All other elements seem working so far, so I'll try to describe very small piece which I have problem with.
I've got a linux machine, with tun0 (tunneling interface) and eth0 (witch is my default gateway to the internet).
Goal: my goal is to receive packets incoming from tun0, and forward them to the default gateway. So actually quite simple NAT case, where I want to "share" internet with tun0 which fakes physical interface.
Tun has been created using
sudo openvpn --mktun --dev tun0 --user USER
sudo ip addr add 10.2.0.1/24 dev tun0
sudo ip link set tun0 up
So I have it up and running, I can ping it etc. Furthermore, I have C++ application, which attaches to this TUN device, can read from and write to it. (fti: here is a tutorial I've followed: http://backreference.org/2010/03/26/tuntap-interface-tutorial/)
I dumped some correct ICMP (ping) request made to 8.8.8.8 into the byte array in C++. Now, using my program I write it to the tun0 device. ICMP request has
- source (10.2.0.10) - so kernel knows the route back (the same subnet)
- destination (8.8.8.8) - Google's DNS
- correct checksum etc. (in Wireshark /TShark it appears correctly on tun0)
Then, I have following routes:
iptables -F # flush
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface tun0 -j ACCEPT
And here I'm stuck :( Packet does not get forwarded to the default gw (tshark sees it only on tun0 as received which i guess it's correct)
What's missing? Maybe some alternative approach (but it has to be done using tun device, and I have to be able to r/w to it). Additional info:
- forwarding is enabled (/proc/sys/net/ipv4/ip_forward)
- 8.8.8.8 is reachable through eth0 (from local)
- default gateway is correct (from ISP via eth0)
- i've tried switching off rp_tables(echo 0 > /proc/sys/net/ipv4/conf/eth5/rp_filter)
- and many others...
Thanks in advance for any hints!
Alternative solution would be using
bridge
.So you can bridge your tun0 with eth0 and there is no need for nat or setting ip on tun0 you just put IPs from the same subnet of eth0 and same gateway you are using right now on clients' tunnel interfaces.Commands for setting a bridge up:
www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/set-up-the-bridge
I recently ran into this problem (following the same article mention in the question) and after fiddling around a little, I found that the following command enable the local forwarding of the packets for the tun device.
I know its very late, I am just posting here so that anybody who faces the same issue can have some kind of help.