Routing traffic with 2 VPN Gateways on RaspberryPi

Question

I'm using Raspberry Pi to run OpenVPN client. I have 2 client connectios set up, using interfaces

tun0
tun1

The raspberry pi uses interface

eth0

to connect to the internet.

Then I have USB network adapters plugged in for 2 separate LANs, so that's interfaces

eth1
eth2

The output of ifconfig looks like this:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.1.6  netmask 255.255.255.0  broadcast 10.0.1.255
        inet6 fe80::ba27:ebff:fed9:22e8  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:d9:22:e8  txqueuelen 1000  (Ethernet)
        RX packets 36  bytes 15629 (15.2 KiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 113  bytes 16995 (16.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.110.1  netmask 255.255.255.0  broadcast 192.168.110.255
        inet6 fe80::213:3bff:fe9c:bea3  prefixlen 64  scopeid 0x20<link>
        ether 00:13:3b:9c:be:a3  txqueuelen 1000  (Ethernet)
        RX packets 50  bytes 4871 (4.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 74  bytes 12272 (11.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.91.91  netmask 255.255.255.0  broadcast 192.168.91.255
        inet6 fe80::213:3bff:fe9c:baa3  prefixlen 64  scopeid 0x20<link>
        ether 00:13:3b:9c:ba:a3  txqueuelen 1000  (Ethernet)
        RX packets 41  bytes 2038 (1.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 40  bytes 4972 (4.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 178  bytes 14436 (14.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 178  bytes 14436 (14.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.8.2  netmask 255.255.255.0  destination 10.8.8.2
        inet6 fe80::9a75:196b:2daf:6e99  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 9  bytes 1823 (1.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15  bytes 1045 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.8.2  netmask 255.255.255.0  destination 10.8.8.2
        inet6 fe80::8974:fdcd:d086:bc7e  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 39  bytes 2054 (2.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The problem is that with the current routing

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.8.8.2        0.0.0.0         UG    0      0        0 tun0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.8.8.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.8.8.0        0.0.0.0         255.255.255.0   U     0      0        0 tun1
no-mans-land.m2 10.0.1.1        255.255.255.255 UGH   0      0        0 eth0
92.119.176.21   10.0.1.1        255.255.255.255 UGH   0      0        0 eth0
192.168.91.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.110.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1

I don't know how to continue and configure the firewall/router in a way where devices on my network connected to eth1 use tun0 to get to the internet and devices connected to eth2 use tun1 instead.

I used systemd-networkd to set up the network, inspired by this thread VPN Passthrough two ethernet interface - now I try to expand it by adding second VPN connection and use the Raspberry as a dual VPN gateway.

That's not an easy task you are trying. But let me try to understand it step by step. Do you have devices supporting Virtual LANs, e.g. a managed switch? Then I don't understand the VLAN setup. Either you get VLAN untagged IP packets then you should have two physical interfaces eth0 and eth1, or you get VLAN tagged IP packets then you should have on the physical interface eth1 two virtual interfaces e.g. vlan10@eth1 and vlan91@eth1. Then eth1 does not have an ip address. But your setup is mixed up. Why? — Ingo, Aug 27 '19 at 13:35
You're right. I plan to add another VLAN on eth1 but if that doesn't work, I can just connect another USB ethernet adapter so I'll have eth1 and eth2 LANs. I don't really care which solution I go with but in the end I thought the routing setup would be done the same way, just using different interface names. I have 2 switches - Mikrotik RB2011 and Cisco SF300, both support VLANs but I realize I should first try this with 2 physical interfaces to avoid any VLAN related trouble. — Jan, Aug 27 '19 at 14:09
I edited the original post and removed VLANs, replacing them with physical interfaces to make things simpler. — Jan, Aug 27 '19 at 16:13
Do you have already VLANs running on the switch? If so I wouldn't see more trouble using VLAN on the RasPi with systemd-networkd. It has advanced features for it out of the box. It has the big advantage that you don't need additional wired dongles. You only need eth0 then. Only if you don't have a running VLAN environment on the switch yet, I would see more trouble. On the other side if you want to have VLANs at the end in any case I would prefer to start with VLAN because OpenVPN is running on top of the network system. OK, but will look for now at three physical interfaces. — Ingo, Aug 27 '19 at 17:03
You have two OpenVPN clients running, so you want to connect to two different remote OpenVPN server. tun0 and tun1 have the same ip address using the same subnet. This cannot work. Where are the OpenVPN server running? One reachable through eth1, the other reachable through eth2, isn't it? Or are both server on the internet through eth0? — Ingo, Aug 27 '19 at 17:11
It's 2 different VPN servers - different public IP, same provider but 2 different countries. It's just the tun interface on RPi that gets (sometimes) the same local IP assigned. Both are accessed from eth0. — Jan, Aug 27 '19 at 17:14
It's seems to work with these 2 rules for the second vpn: sudo ip route add default via 10.8.8.4 dev tun1 table rt2 sudo ip rule add from 192.168.91.0/24 table rt2 ... then eth1 goes through tun0, while eth2 uses table rt2 and is routed through tun1 ... could this be all that was missing? — Jan, Aug 27 '19 at 17:19
Do you use policy routing with additional routing tables (rt2)? Then there can't be said much about your routing issue without knowing details about the rule list and the other routing tables, not only the main table. — Ingo, Aug 27 '19 at 17:39
What OpenVPN client do you use? Is there any configuration in /etc/openvpn/? — Ingo, Aug 27 '19 at 17:45

score 0 · Answer 1 · answered Aug 28 '19 at 09:11

I think the issue was solved by configuring routing in 2 tables like this:

From script when tun0 connects:

#!/bin/sh
VPN_IP=$(ip addr show tun0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)
echo ${VPN_IP} > /home/pi/tun0_ip
/sbin/ip route add default via `echo ${VPN_IP}` dev tun0

From script when tun1 connects:

#!/bin/sh
VPN_IP=$(ip addr show tun1 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)
echo ${VPN_IP} > /home/pi/tun1_ip
ip route add default via `echo ${VPN_IP}` dev tun1 table rt2
ip rule add from 192.168.91.0/24 table rt2

The scripts are defined in the OpenVPN configuration (up/down parameters). They find the IP address of the tun iterface (which changes every time the connection is established) and set up routing rules.

Once this is configured, it seems that it works as expected! If I connect a computer to eth1, I get an IP from one country (tun0) when I check whatismyip.com, if I connect to eth2, I get the other one (tun1). I'm just not sure if this is a good and solid solution because I wouldn't expect it to be this easy.

Please accept your own answer with a click on the tick on its left side. Only this will finish the question and it will not pop up again year for year. — Ingo, Jan 26 '20 at 19:48

Routing traffic with 2 VPN Gateways on RaspberryPi

1 Answers1