1

I have the following setup:

Desktop -> [via RPI eth1] <-> Raspberry Pi <-> [via RPI eth0] -> Router -> Internet -> OpenVPN Server

I created a bridge successfully but i do not believe a bridge is what i want. I want the raspberry pi to lease the IP Address to the Desktop. Then anytime i use the Desktop I want the traffic forwarded from eth1 to eth0.

Here's the kicker, i have an OpenVPN Client on the Raspberry Pi. So i want to forward any traffic that is behind the OpenVPN Server through the OpenVPN Client. For example, i want to be able to ping the OpenVPN Server and it's private LAN from my Desktop.

I have achieved what i wanted by using hostAPD and dnsmasq via a wifi client hotspot, but now i am trying to recreate the solution via ethernet and i cannot seem to find what the wifi client/hotspot was doing that the ethernet bridge solution is not.

What i did was i added a bridge between eth0 and eth1 and set the static IP address (with the subnet) in the /etc/dhcpcd.conf. As stated above this doesn't seem to be the desired outcome as it looks like the Desktop is leasing an IP address from the router itself and not forwarding any traffic intended for the OpenVPN Server through the OpenVPN Client.

My question is since the ethernet bridge isn't the solution, what do i need to implement to get the packet forwarding and path that i described above working?

Any help would be appreciated!

UtahUnix
  • 13
  • 1
  • 3
  • No offense intended at all, but has it occurred to you that this solution you're crafting has some of the hallmarks of a [Rube Goldberg machine?](https://en.wikipedia.org/wiki/Rube_Goldberg_machine) – Seamus Jul 10 '18 at 22:35

2 Answers2

0

Ok..... You are going into deep waters.

If the OpenVPN client is running on the rpi and you want it to "automagically" route traffic between the network segment where your rpi and the desktop are connected and the OpenVPn server then the easiest thing to do is to use the rpi as the default gw of the desktop. Break up the bridge and have a separate segment for the rpi/desktop. This network segment has to be set up on the OpenVPN server so that the OpenVPN process knows that in order to reach it, it has to go through the rpi. And that should be enough to pull it off.

eftshift0
  • 660
  • 1
  • 7
  • 10
  • Thanks for your response. So setting up the raspberry pi as the default gateway for the desktop, is that just dont through the interfaces and dhcpd.conf file or are there additional packages that are downloaded to achieve this? – UtahUnix Jul 10 '18 at 16:34
0

Seems you are using dhcpcd, dnsmasq and networking (ifupdown) together with OpenVPN. It looks a little bit like a Rube Goldberg machine ;-)

I can offer you a solution with systemd-networkd that is doing all in once (except OpenVPN). On the raspi three ways different network traffic has to go, so we need a router there. I use Raspbian Stretch Lite 2018-06-27 upgraded to latest software. I suppose your OpenVPN is setup and you can connect to the OpenVPN server and you are using an USB ethernet dongle for eth1.

For the example I use these ip addresses:

                             10.10.10.2                       ┌──────────┐   10.10.10.1
                                /           vpn-tunnel        │          │       \
                             (tun0) =══════════════╗  ╔═════════════════════════ VPN-SERVER
Desktop <---------> (eth1)RPI(eth0) <-----------> ROUTER <--> │ INTERNET │
     \     wired     /          \       wired    /       wan  │          │
   (by dhcp)  192.168.1.1   192.168.0.2    192.168.0.1        └──────────┘


Setup systemd-networkd

For detailed information look at [1]. Here only in short. Execute these commands:

rpi ~$ sudo -Es
rpi ~# apt install openvpn-systemd-resolved

rpi ~# systemctl mask networking.service
rpi ~# systemctl mask dhcpcd.service
rpi ~# sudo mv /etc/network/interfaces /etc/network/interfaces~
rpi ~# sed -i '1i resolvconf=NO' /etc/resolvconf.conf

rpi ~# systemctl enable systemd-networkd.service
rpi ~# systemctl enable systemd-resolved.service
rpi ~# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

To configure the interfaces create these two files:

rpi ~# cat > /etc/systemd/network/04-eth0.network <<EOF
[Match]
Name=eth0
[Network]
Address=192.168.0.2/24
Gateway=192.168.0.1
IPForward=yes
EOF

rpi ~# cat > /etc/systemd/network/08-eth1.network <<EOF
[Match]
Name=eth1
[Network]
Address=192.168.1.1/24
DHCPServer=yes
EOF

Reboot.


Setup routing

Now you have to set a static route in your internet router so it can find the route over the raspi to your desktop. On most internet router you can set a static route but how to do that varies from model to model. It's up to you to find it out. For our example the gateway (next hop) is 192.168.0.2, destination network is 192.168.1.0/24 (or 192.168.1.0 netmask 255.255.255.0). On a Raspberry Pi it would look like this (don't set it on your Raspi router!)

rpi ~$ sudo ip route add 192.168.1.0/24 via 192.168.0.2 dev ethX

That means for the internet router: "send all packets belonging to subnet 192.168.1.0/24 (destination network) to the next router on my subnet, your raspi-router 192.168.0.2 (gateway). It knows where to go on."

If you have no access to the internet router you can fake it with NAT (network address translation) to tell it a lie that all packets are coming from your raspi. Set this on your Raspberry Pi:

rpi ~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

But this should only be the second choise because it's not clean routing and has limitations and may be confusing. Your internet router also uses NAT so we have a double NAT that's not good for performance.

Start the VPN tunnel and things should go.


references:
[1] Howto migrate from networking to systemd-networkd with dynamic failover
[2] Raspberry pi as access point with vpn

Ingo
  • 40,606
  • 15
  • 76
  • 189