offloading OpenVPN using external gateway

chrispazz

@bingo600 it is 192.168.5.254

bingo600

@chrispazz

??

Then what is your ISP router inside ip ?

bingo600

@chrispazz said in offloading OpenVPN using external gateway:

I tried enabling logging on the rule and I can confirm it is using it.

Ok

Now try to do a packet trace on the pfSense WAN

Set host address to the Raspi IP

And generate some traffic destined for VPN

chrispazz

@bingo600 oops....sorry. Inside IP of router is 192.168.5.254.

Pf sense has 192.168.5.1 on the WAN side...

chrispazz

@bingo600

Activated packet capture on host 192.168.5.9 and opened a webpage with www.google.it:

16:58:57.410983 IP 192.168.5.1 > 192.168.5.9: ICMP echo request, id 43267, seq 8815, length 9
16:58:57.920985 IP 192.168.5.1 > 192.168.5.9: ICMP echo request, id 43267, seq 8816, length 9

bingo600

@chrispazz said in offloading OpenVPN using external gateway:

@bingo600

Activated packet capture on host 192.168.5.9 and opened a webpage with www.google.it:

16:58:57.410983 IP 192.168.5.1 > 192.168.5.9: ICMP echo request, id 43267, seq 8815, length 9
16:58:57.920985 IP 192.168.5.1 > 192.168.5.9: ICMP echo request, id 43267, seq 8816, length 9

Where did 192.168.5.9 come from ??
did you mean 5.99

chrispazz

@bingo600 yes is 5.99 :) don't hate me eheheh

bingo600

@chrispazz

So we have confirmed that the ICMP (ping) packages are actually being "policy routed" from 5.1 (pfSense) to 5.99 (RasPI)

We don't see any Echo reply ... The issue is probably on the RasPI

bingo600

On the Raspi (as root)

What does a : sudo iptables -L show ?

And this one ?

chrispazz

This post is deleted!

bingo600

Did you reboot the RasPI after enabling forwarding ?

chrispazz

@bingo600 yes, forward is activated.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

and yes, I rebooted it a lot of times :)

bingo600

@chrispazz

Does this one give the expected result , should be your (OpenVPN public ip) ?

wget http://ipinfo.io/ip -qO -

Can you ping the google.it from the RasPI ?

/Bingo

chrispazz

@bingo600 said in offloading OpenVPN using external gateway:

wget http://ipinfo.io/ip -qO -

Both yes.
And if I test a traceroute from raspi I can confirm it is going outside using VPN connection....

bingo600

@chrispazz

Now : I would connect a PC directly to the RasPI , or directly to the ISP inside LAN , and set def-gw to the RasPI , and maybe DNS to 8.8.8.8

Then start debugging directly between the PC & The Raspi.

This can come in handy ... Disables all iptables stuff on the Raspi.
But only for this "boot sesion"

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

I use these rules on my Deb10 machines , for OVPN to a VPN provider.

Remember to replace ens192 with the name of your ethernet interface on the Raspi.

# Default policy to drop all incoming packets
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Accept incoming packets from localhost and the LAN interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ens192 -j ACCEPT

# Accept incoming packets from the WAN if the router initiated
# the connection
iptables -A INPUT -i tun0 -m conntrack \
    --ctstate ESTABLISHED,RELATED -j ACCEPT

# Forward LAN packets to the WAN
iptables -A FORWARD -i ens192 -o tun0 -j ACCEPT

# Forward WAN packets to the LAN if the LAN initiated the
# connection
iptables -A FORWARD -i tun0 -o ens192 -m conntrack \
    --ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT traffic going out the WAN interface
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#

Remember to save new rules if you change them

sudo systemctl enable netfilter-persistent

chrispazz

@bingo600 said in offloading OpenVPN using external gateway:

sudo systemctl enable netfilter-persistent

I made some other tests.

Raspberry is working good if I set a client to use it as network interface gateway and connection will go thru VPN (using my own iptables rules or yours).

So it seems that when I go thru pfsense, WAN main gateway (ISP router) is getting used instead of firewall rule gateway...

bingo600

@chrispazz said in offloading OpenVPN using external gateway:

@bingo600 said in offloading OpenVPN using external gateway:

sudo systemctl enable netfilter-persistent

I made some other tests.

Raspberry is working good if I set a client to use it as network interface gateway and connection will go thru VPN (using my own iptables rules or yours).

So it seems that when I go thru pfsense, WAN main gateway (ISP router) is getting used instead of firewall rule gateway...

That doesn't make sense
The packet trace you made doesn't lie.

bingo600

Now is the time to use tcpdump on the RasPI

https://kalitut.com/record-network-traffic-with-raspberry/

To see what it actually receives & forwards

chrispazz

@bingo600
This is traceroute from the client with the firewall rule applies:

traceroute to www.google.it (216.58.215.227), 64 hops max, 52 byte packets
1 192.168.5.254 (192.168.5.254) 2.370 ms 1.583 ms 1.516 ms

The first hop go to ISP gateway....I can't see Raspi here...

bingo600

@chrispazz
But that is not consistent with the packet trace you made on the pfSense

Can you do another trace , and then the traceroute ?