0

Dear Raspberry community,

I am using a raspberry with newest stretch version and facing a routing issue. My network:

LAN: 192.168.178.0/24
Subnet mask 255.255.255.0
Default eth0 Gateway 192.168.178.1
(this network is connected to the raspberry)

Second available VPN Network (not yes used in Raspberry)
VPNLAN: 192.168.1.0/24
Subnet mask 255.255.255.0
Default eth0 Gateway 192.168.1.1

I want the setup like this: I want to access from all devices in my LAN to the raspberry (that already works perfect).

If it comes to internet (running updates in the raspberry or any other traffic caused my software in the raspberry) the (internet) traffic should be routed through the VPNLAN.

I think, therefore I have to add a routing and have as the only gateway the address of the vpnlan (192.168.1.1).

I am not an expert , tried some setting with route adding etc..nevertheless it did not work.

I added a route through the wan connection to the vpn network - that did not work. How can I connect to the vpn router through the eth0 (192.168.178.0/24) network.... I tried it like this:

ip route add 192.168.1.0/24 via 192.168.178.101   # (WAN 192.168.178.101 from LAN network).

I do not want to solve that for the entire network, just for the raspberry. How do I realize that, what kind of commands do I have to use here? How can I send internet bound traffic to the vpn router?

Update:
I now followed your advice and startet the vpn client on the raspberry. her is the output of the requested commands:

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:19:cc:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.35/24 brd 192.168.178.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::32a4:b141:4a75:79a2/64 scope link
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.16.33.194/24 brd 10.16.33.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::b3be:ceaf:ad86:696c/64 scope link flags 800
       valid_lft forever preferred_lft forever

> ip route
0.0.0.0/1 via 10.16.33.1 dev tun0
default via 192.168.178.1 dev eth0 src 192.168.178.35 metric 202
10.16.33.0/24 dev tun0 proto kernel scope link src 10.16.33.194
128.0.0.0/1 via 10.16.33.1 dev tun0
192.168.2.0/24 via 192.168.178.1 dev eth0
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.35 metric 202
213.152.028.210 via 192.168.178.1 dev eth0

Does that help...I want to make sure that the entire internet traffic is routed through the tun0 connection. Request from 192.168.2.0/24 should not be routet through the network and if tun0 is down, no internet connection should be possible immediately.

I have a local network (192.168.178.0/24) and a remote network (192.168.2.0/24) that are connected via a router vpn connection(2xfritzbox). It is possible that I reach every device from one to the other network - works great. My Raspberry is 192.168.178.35, has different software running and openvpn as well. i like to achieve that the ext. traffic from the raspberry to the internet is routet through the openvpn connection and everything else should stay, so that Rasp. can still be reached over the local networks ..

Is it possible at all? and how?

Thank you very much for your great help.

Warm regards Stefan

Ingo
  • 42,107
  • 20
  • 85
  • 197
Stefan
  • 1
  • 2
  • What have you tried? (Please edit it into your question.) – Mark Smith Jan 04 '19 at 08:58
  • I added a route through the wan connection to the vpn network - that did not work. How can I connect to the vpn router through the eth0 (192.168.178.0/24) network.... I tried it like this: ip route add 192.168.1.0/24 via 192.168.178.101 (WAN 192.168.178.101 from LAN network) – Stefan Jan 04 '19 at 09:34
  • Does the Pi need to do its own routing for this, can your router not send all internet bound traffic to the VPN device. How does the VPN lan connect through to the Pi, they appear to be sharing the single eth0 interface? You should only have one default gateway so just setting that to your VPN network traffic should flow between your .178.0 network and internet bound traffic should be sent off down the 1.0 link. – tobyd Jan 04 '19 at 13:54
  • yes, i agree....i do not want to solve that for the entire network, just for the raspberry. i find your suggestion very good, how do I realize that, what kind of commands do i have to use here? How can I send internet bound traffic to the vpn router? Thanks in advance – Stefan Jan 04 '19 at 15:27
  • Please start the VPN client on the Raspberry Pi to establish the VPN tunnel to the VPN server. Then please edit your question and add the output of this commands to it: ip addr and ip route. – Ingo Jan 04 '19 at 21:34
  • Please give me a comment when done and address me with @Ingo, otherwise I won't see your reply. – Ingo Jan 04 '19 at 21:41
  • dear ingo - see below – Stefan Jan 05 '19 at 19:40

2 Answers2

1

You potentially have multiple problems here, but I'll try to address the first ones in order. You may need to come back with another question later.

First, your routing is wrong. You want to send the default traffic to the VPN gateway and send only local traffic to the local network. What you've got looks like you're telling the Pi to send all traffic destine to an IP on the VPN network to the Pi itself, which is circular and futile. You probably are not generating any traffic with IPs on that network in the situation that you described, so this rule won't trigger, but if it did it would not lead to messages going out. (I'm under the impression here that 192.168.178.101 is the ip address of the Pi, but that won't ultimately matter in the correct routing.) So you want your routing to look like this:

Destination    Gateway         Genmask
default        192.168.1.1     0.0.0.0
192.168.178.0  0.0.0.0         255.255.255.0

(I've dropped the last few columns.)

Depending on the state you've gotten your routes into, that may or may not require adding or dropping routes from what you have.

Now this probably won't get you up yet because you need the return routes set properly too, i.e. this should get outgoing messages heading in the right direction, but the upstream gateway also needs routing to get the return message back to your machine. That may or may not go immediately depending on how the VPN itself is configured.

Also, as noted in the comments, this sort of thing typically is not set by routing manually. (Although I do have a single machine on my system that does do it that way.) Often you connect to the VPN using some client software and that handles this part for you through policies or by modifying the routing tables automatically.

Brick
  • 1,377
  • 2
  • 13
  • 19
0

First a summary of the information as far as I understand it.

   10.16.33.194                                         10.16.33.1
       /               VPN tunnel       ┌────────────────┐   \
      ╔══════════════════╗ ╔════════════╪════════════════╪═══ VPN-Server
      ║                  ║ ║     VPN    │ 213.152.28.210 ┼────┘
   (tun0)                ║ ║ ╔══════════╪═══╗            │
RPi(eth0) <------------> router1 <----> │   ║            │
      \       wired     /         wan   │   ║            │
 192.168.178.35    192.168.178.1        │   ║            │
                                        │   ║ INTERNET   │
                                        │   ║            │
                                  wan   │   ║            │
192.168.2.0/24 <-------> router2 <----> │   ║            │
                        /    ╚══════════╪═══╝            │
                 192.168.2.1            ╰────────────────┘
               Internet Gateway

I assume that the route to host 213.152.028.210 via the router (192.168.178.1) is to the VPN server on the internet (outer ip address).

The following is unclear:

  • Subnet 192.168.1.0/24 (VPNLAN?)
  • Subnet 192.168.2.0/24: there is a route to it via the router (192.168.178.1)
  • Subnet 0.0.0.0/1: there is a route to it through the VPN tunnel
  • Subnet 128.0.0.0/1: there is a route to it through the VPN tunnel

I don't know for what this all is needed and what you have running that makes it. I simply ignore it for now.

For your needs the routing table should look similar to this:

default via 10.16.33.1 dev tun0 src 10.16.33.194 metric 202
10.16.33.0/24 dev tun0 proto kernel scope link src 10.16.33.194 metric 202
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.35 metric 202
213.152.28.210 via 192.168.178.1 dev eth0

This will define the virtual private network 10.16.33.0/24 and the local area network 192.168.178.0/24. All traffic not belonging to the LAN is send through the VPN tunnel except to the single host 213.152.28.210. Traffic through the tunnel is mostly traffic to the internet. 213.152.28.210 seems to be the VPN server and is needed to find the end point of the VPN tunnel.

With ip route { add | del } ROUTE you can modify your routing table but first you should clean up your installation to avoid unnecessary settings.

If the VPN connection is down there is no way (route) to the internet. Then you cannot get into the internet without a VPN connection, provided all clients use 192.168.178.35 as its gateway. Its not save if clients use the router 192.168.178.1 as its gateway. This can simply reconfigured on the client. Security then depends on the configuration of the router. If it only passes 213.152.28.210 (public ip addr. of the VPN server) then you are save.

A gateway must reside on the same subnet than the clients. From 192.168.178.0/24 you cannot use 10.16.33.194. It must be 192.168.178.35 with ip forwarding to 10.16.33.194 (routing).

To make a long story short: make sure that all clients use gateway 192.168.178.35, usually done with an option router on the DHCP server, or setting option static routers in /etc/dhcpcd.conf on every client. If you have access to the router then you have to set a filter (firewall rule?) that it only passes ip address 213.152.28.210 to the internet. If you don't have access to it then you only can trust that nobody changes static routers in /etc/dhcpcd.conf.

UPDATES to answer questions from the comments:
The RasPi has no outside public ip address. It is not connected to the internet. It can only be router1 or router2. The RasPi normally sends ip packages to internet through router1. Router1 makes a network address translation (NAT) so everyone outside only sees the routers outside ip address. Returning packages from internet to the RasPi are all send to router1. It knows with NAT that it has them send to the inside RasPi. So everyone outside only sees the routers outside ip address no matter from which inside device the packages are coming.

Traffic through internet is normally not encrypted so everyone can spy your private data. This is the case when using web sites with http://www.... You have to use encrypted connections with https://www.... People will use the RasPi with openvpn if they want to connect to other private devices or networks. Openvpn makes an encrypted tunnel through the unsecure internet so nobody can spy your private data. You self have made the best example for using openvpn the right way by connecting the both private networks 192.168.178.0/24 and 192.168.2.0/24. You use the connection as they where direct connected with an ethernet cable. Nobody can spy your private data going through the vpn tunnel between the networks.

As far as I see it does not make sense in your case to send all internet data from the RasPi through a vpn tunnel to the VPN server in France. There it will leave the vpn tunnel and is send into the internet without encryption. There is no difference if you use router1 direct for internet access.

If you want to obscure your internet activity so the NSA cannot follow your (maybe encrypted) meta data for connections you have to use the Tor network. But this is a complete different approach.

Ingo
  • 42,107
  • 20
  • 85
  • 197
  • Thank you so much for your help....Your graphical sketch is right . I followed your advice and eliminated the vpn router (192.168.1.0/24) - there is no need for this one any more. What I did not achieve yet, is that the RPI can only access internet over the vpn TUN and if this connection goes down, no internet connection is possible. isn't it enough to just define one gateway that is 10.16.33.194? how do i manage this? And it has to be safe, that noone from the subnet 192.168.2.0/24 oder the network 192.168.178.1/24 can access internet over the default gateway 192.168.178.1. is that doable? – Stefan Jan 07 '19 at 08:52
  • @Stefan I have updated my answer. You never told something about subnet 192.168.2.0/24. What is it? – Ingo Jan 07 '19 at 13:11
  • @ Ingo....i think i managed it with your help...can you please check if everything is ok now: route shows: Kernel-IP-Routentabelle Ziel Router Genmask Flags Metric Ref Use Iface 0.0.0.0 10.16.33.1 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.178.1 0.0.0.0 UG 202 0 0 eth0 10.16.33.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 128.0.0.0 10.16.33.1 128.0.0.0 UG 0 0 0 tun0 – Stefan Jan 07 '19 at 13:36
  • 192.168.2.0 192.168.178.1 255.255.255.0 UG 0 0 0 eth0 192.168.178.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0 213.152.28.210 192.168.178.1 255.255.255.255 UGH 0 0 0 eth0 – Stefan Jan 07 '19 at 13:36
  • https://picload.org/view/dcirgpwo/routing-vpn.jpg.html this one is better to read – Stefan Jan 07 '19 at 13:40
  • Line 3: unknown, should be deleted. Line 4: default route is wrong, Router must be 10.16.33.1. Line 5: ok. Line 6: unknown, should be deleted. Line 7: unknown, should be deleted. Line 8: ok. Line 9: ok. – Ingo Jan 07 '19 at 15:30
  • @ ingo thank you for your feedback!!! When i checked the ip adress of the rpi with: wget http://ipinfo.io/ip -qO - it shows the ip adress of the vpn service provider, so i thought it would be ok. how can i cancel the routings? what happens if the tunnel drops? Warm regards Stefan – Stefan Jan 07 '19 at 18:58
  • @Stefan If you clean up the routing table then you have canceled routing. What happens when the tunnel drops can you read in my answer. – Ingo Jan 07 '19 at 19:34
  • thanks for your comment, sorry, i didn't get what you wrote in your previous post. I just want to remove the entries in the table, that you recommended to remove...how do i manage that? thanks and warm regards Stefan – Stefan Jan 08 '19 at 17:33
  • because I do not know the file where the enries are listed.... (sorry for the question) – Stefan Jan 08 '19 at 18:16
  • @Stefan No problem with asking :-) The routing table isn't a file, it is stored in memory and managed by the kernel. How to modify it you can also read in the answer. You self has used it already with sudo ip route add .... For example to delete a route: sudo ip route del 0.0.0.0/1 via 10.16.33.1 dev tun0. You can just append the line from the output of ip route. – Ingo Jan 08 '19 at 19:26
  • Dear Ingo, thank you very much. I updated the routing table and it did not work. if i delete line 6, then the shown ip adress of the raspberry is the one op the isp, not of the openvpn provider. maybe we still need this line? warm regards Stefan – Stefan Jan 12 '19 at 08:51
  • @Stefan What vpn client do you use? Do you use openvpn? Have you set a default route to the vpn server (line 4) default via 10.16.33.1 dev tun0 src 10.16.33.194 metric 202? – Ingo Jan 12 '19 at 10:45
  • everything I did is in the routing table.Should I add the one you listed? I am osing openvpn on the raspberry...where do I have to add this and how do i make it persistant? Thank you so much ingo!!! – Stefan Jan 13 '19 at 09:34
  • @Stefan If using openvpn most settings are done automagically. In my answer I have written 4 points that are unclear. I don't know what you have done to get this settings. It is not default. Seems you cannot explain it. I will make a simple example with openvpn so you can compare what's different. Just a moment, it takes a bit of time. – Ingo Jan 14 '19 at 21:04
  • thank you very much ...maybe i should explain what i want tto achieve. I have a local network (192.168.178.0/24) and a remote network (192.168.2.0/24) that are connected via a router vpn connection(2xfritzbox). it is possible that I reach every device from one to the other network - works great. My Raspberry is 192.168.178.35, has different software running and openvpn as well. i like to achieve that the ext. traffic from the raspberry to the internet is routet through the openvpn connection and everything else should stay, so that Rasp. can still be reached over the local networks .. – Stefan Jan 18 '19 at 07:27
  • @Stefan OK, to get it step by step. I have modified the drawing. As far as I understand you have connected two networks by a VPN. Is the drawing right? Where is the gateway to the internet? Is it the fritzbox from network 192.168.2.0/24 (I assume its ip address is 192.168.2.1)? Can you ping -I 192.168.178.35 192.168.2.1? – Ingo Jan 18 '19 at 22:47
  • thanlk you very much!!! The drawing is almost right, there is another internet gateway on 192.168.178.1 (in both local networks one local gateway) - I am "living" in the network 192.168.178.0/24 amd can ping 192.168.178.35 and 192.168.2.1 .....and if I wget http://ipinfo.io/ip -qO - on the rapsberry it gets the ip adress of the openvpn connection 213.152.28.211 – Stefan Jan 19 '19 at 07:27
  • @Stefan Please login at router1 and router2 web interface and show what fritzbox has the internet address 213.152.28.211. I guess it's router1. – Ingo Jan 19 '19 at 21:58
  • none of them does have internet access 213.152.28.211....just the raspberry has internet over 213.152.28.211....both fritzboxes have internet over their local isp – Stefan Jan 20 '19 at 18:33
  • @Stefan wget ipinfo.io/ip -qO - shows you the outside ip address of a NATed internet connection. router1 has an inside ip address of 192.168.178.1 and a public outside ip address from the provider, shown in the web interface. router2 has an inside ip address of 192.168.2.1 and another public outside ip address from the provider, shown in the web interface. If one of this outside ip addresses is not 213.152.28.211 then there must be a third gateway to the internet. Where is it located? What device has the outside ip address 213.152.28.211 and what inside ip address does it have? – Ingo Jan 20 '19 at 19:40
  • @ingo....on the rapsberry open vpn is running....and the raspberry therefore has (I assume) another gateway? this is what happens if I "wget ipinfo.io/ip -qO -" via putty on the raspberry .....if i check the connections on both routers, they have there local IP Adress like 83.xx.xx.xx (from german telekom) – Stefan Jan 20 '19 at 19:58
  • so I thought the openVPN Software on the raspberry 192.168.178.35 would exactly do that, routing the traffic on the raspberry through openvpn and therefore "wget ipinfo.io/ip -qO -" would get back 213.152.28.211, acting so to say as the third gateway... – Stefan Jan 20 '19 at 19:59
  • @Stefan And what is the ip address 213.152.28.210 you told before? – Ingo Jan 20 '19 at 20:34
  • that is what is shown on the routing table,...213.152.28.210 192.168.178.1 255.255.255.255 UGH 0 0 0 eth0 - so the routing table shows 213.152.28.210 and typing wget ipinfo.io/ip -qO - on the raspberry shows 213.152.28.211.....does that help? thank you very much.... – Stefan Jan 21 '19 at 16:09
  • @Stefan No, it is completely unclear where ipinfo.io/ip gets the info about 213.152.28.211. There must be a device connected to the internet with an outside ip address 213.152.28.211 that it has gotten from a provider similar to the fritzbox. And it is unclear where 213.152.28.210 in the routing table comes from. – Ingo Jan 21 '19 at 16:19
  • ipinfo.io/IP is used in putty in the raspberry itself. as the raspberry runs openvpn and is connected via openvpn. It is definetel y the IP Adress of the vpn provider. where the routing entry is coming from, i can not answer, I assume after installing and starting open vpn it was there...... ? Can you help to fix it or mabe it is all right as it is? – Stefan Jan 23 '19 at 18:30
  • doesn't that proof, that the openvpn works, if ipinfo.io gives back the ip adress of the vpn provider? – Stefan Jan 23 '19 at 18:31
  • @Stefan No, it only shows what ip address your router has, seen from the internet. If vpn is working then it shows what ip address the VPN server (located anywhere) has, seen from the internet. – Ingo Jan 23 '19 at 18:47
  • ok...my initial issue is, that i want to achive that external traffic (just from the raspberry) is routet to the internet...is that achieved? the gateway is the openvpn server, i assume, right? – Stefan Jan 24 '19 at 11:08
  • @Stefan I don't know. I don't know where the VPN server is located and what route is taken to it. Is it located at the Internet? Is the VPN server reachable through router1 or router2 or what? – Ingo Jan 24 '19 at 12:09
  • the vpn provider is located in france, open vpn is running on the rapsberry where the gateway is 192.168.178.1 ..does that help? I thought the vpn gateway on the raspberry would make sure, that every traffic on the raspberry is routet through openvpn , because the raspberry has the outside 213.152.28.211 IP Adress – Stefan Jan 24 '19 at 16:52
  • @Stefan Yes it help a bit. The RasPi has no outside public ip address. It is not connected to the internet. It could only be router1 or router2 but as you looked at its web interface they don't have 213.152.28.211. What is the public io address of the VPN server in france? – Ingo Jan 24 '19 at 17:04
  • Dear Ingo.....thank you very much for your help. The raspberry has no outside IP Adress, yes. But when I enter wget ipinfo.io/ip via putty on the raspberry, it gives back the IP Adress how it is seen in the internet. So, if the raspberry would connect to a webpage, the webpage would get that IP, right? I must admit, I think I just give up ;-( , I wanted to reach the goal written a few comments above...and I am not an expert at all. :-) – Stefan Jan 25 '19 at 07:37
  • The RasPi sends ip packages to internet through router1. Router1 makes a network address translation (NAT) so everyone outside only sees the routers outside ip address. Returning packages from internet to the RasPi are all send to router1. It knows with NAT that it has them send to the inside RasPi. So everyone outside only sees the routers outside ip address no matter from which inside device the packages are coming. Don't give up. If I know the ip address or DNS name of the VPN server in france then we get a step forward. – Ingo Jan 25 '19 at 09:28
  • @ Igo...I really don't get it...why would people use the raspberry with openvpn if the page your are connecting still sees the ISP IP Adress? I thought typing "whats my ip" on the raspberry would actually show how the raspberry is seen in the interent, with the openvpn provider IP adress and the isp ip adress is not longer visible...i don't get it.... installing it on the raspberry wouldnt make sense, just installing on the fritzbix would help? I want to achieve that just the raspberry applikations hide their ip in internet, therefore Openvpn on raspberry – Stefan Jan 25 '19 at 10:35