I have 2 subnets in my local network (192.168.4.0/24, 192.168.5.0/24), but only 1 gateway server (192.168.4.223) which has 2 OpenVPN connections (10.100.2.6/24, 10.100.3.6/24). The topology is like: enter image description here
I want computers in 192.168.4.0/24 (such as Computer B) to connect to the Internet via OpenVPN server 2 and computers in 192.168.5.0/24 (such as Computer A) to connect to the Internet via OpenVPN server 1.
On OPENWRT router:
## What I did: vi /etc/iproute2/rt_tables ... 110 myovp # Add a table for 192.168.5.0/24 ... # Then add rules for iproute2 and iptables: ip rule add fwmark 110 table 110 ip rule add to 192.168.4.0/24 table main ip route add default via 192.168.4.223 dev br-lan_1 table 110 iptables -t mangle -A PREROUTING -i br-lan_2 -j MARK --set-mark 110 ## Some outputs: # Output of `ip rule`: 0: from all lookup local 32764: from all to 192.168.4.0/24 lookup main 32765: from all fwmark 0x6e lookup myovp 32766: from all lookup main 32767: from all lookup default # Output of `ip route show`: 192.168.4.0/24 dev br-lan_1 proto kernel scope link src 192.168.4.1 192.168.5.0/24 dev br-lan_2 proto kernel scope link src 192.168.5.1 # Output of `ip route show table 110`: default via 192.168.4.223 dev br-lan_1 # Output of `iptables -t mangle -L PREROUTING -v` Chain PREROUTING (policy ACCEPT 871K packets, 177M bytes) pkts bytes target prot opt in out source destination 28030 1954K MARK all -- br-lan_2 any anywhere anywhere MARK set 0x6e On Debian Gateway Server:
## What I did: vi /etc/iproute2/rt_tables ... 110 myovp # Add a table for 192.168.5.0/24 ... # Then add rules for iproute2 and iptables: ip rule add fwmark 110 table 110 ip rule add to 192.168.4.0/24 table main ip rule add to 192.168.5.0/24 table main ip route add default via 10.100.2.1 dev tun0 table 110 ip route add 192.168.5.0/24 via 192.168.4.1 dev enp4s0 iptables -t mangle -A PREROUTING -i enp4s0 -s 192.168.5.0/24 -j MARK --set-mark 110 # Then add rules for NAT and FORWARD: iptables -A FORWARD -i enp4s0 -j ACCEPT iptables -A FORWARD -i tun1 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i enp4s0 -o tun1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i enp4s0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o tun1 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o tun1 -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o tun0 -j MASQUERADE ## Some outputs: # Output of `ip addr`: ... 4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.100.3.6/24 scope global tun1 valid_lft forever preferred_lft forever inet6 fe80::fd55:444a:552a:a454/64 scope link stable-privacy valid_lft forever preferred_lft forever 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.100.2.6/24 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::af61:acf1:4e9c:b1a8/64 scope link stable-privacy valid_lft forever preferred_lft forever ... # Output of `ip route show`: 0.0.0.0/1 via 10.100.3.1 dev tun1 default via 192.168.4.1 dev enp4s0 proto static metric 100 10.100.2.0/24 dev tun0 proto kernel scope link src 10.100.2.5 10.100.3.0/24 dev tun1 proto kernel scope link src 10.100.3.5 128.0.0.0/1 via 10.100.3.1 dev tun1 192.168.4.0/24 dev enp4s0 proto kernel scope link src 192.168.4.223 metric 100 192.168.5.0/24 via 192.168.4.1 dev enp4s0 # Output of `ip route show table 110`: default via 10.100.2.1 dev tun0 # Output of `ip rule`: 0: from all lookup local 32763: from all to 192.168.5.0/24 lookup main 32764: from all to 192.168.4.0/24 lookup main 32765: from all fwmark 0x6e lookup 110 32766: from all lookup main 32767: from all lookup default # Output of `iptables -t filter -L -v`: Chain INPUT (policy ACCEPT 30661 packets, 3126K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2117K 194M ACCEPT all -- enp4s0 any anywhere anywhere 3394K 4191M ACCEPT all -- tun1 enp4s0 anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- enp4s0 tun1 anywhere anywhere state RELATED,ESTABLISHED 1541 133K ACCEPT all -- tun0 enp4s0 anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- enp4s0 tun0 anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 35596 packets, 22M bytes) pkts bytes target prot opt in out source destination 1044 108K ACCEPT all -- any tun1 anywhere anywhere 0 0 ACCEPT all -- any tun0 anywhere anywhere # Output of `iptables -t nat -L -v`: Chain PREROUTING (policy ACCEPT 208K packets, 34M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 266 packets, 46150 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 98 packets, 5876 bytes) pkts bytes target prot opt in out source destination 27638 2036K MASQUERADE all -- any tun1 192.168.4.0/24 anywhere 347 19186 MASQUERADE all -- any tun0 192.168.5.0/24 anywhere Chain OUTPUT (policy ACCEPT 95 packets, 5636 bytes) pkts bytes target prot opt in out source destination # Output of `iptables -t mangle -L PREROUTING -v`: Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2829 215K MARK all -- enp4s0 any 192.168.5.0/24 anywhere MARK set 0x6e And on both OpenVPN servers (They are almost the same except for the subnet IP addresses and Internet addresses):
## What I did: # First set up the OpenVPN server # Then add rules for NAT and FORWARD: iptables -A FORWARD -i tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.100.2.0/24 -o eth0 -j MASQUERADE ## Some outputs # Output of `ip addr`: ... 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.100.2.1/24 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::c31e:ba42:4cb5:d887/64 scope link stable-privacy valid_lft forever preferred_lft forever ... # Output of `iptables -t filter -L -v`: Chain INPUT (policy ACCEPT 16M packets, 1026M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 1522K packets, 114M bytes) pkts bytes target prot opt in out source destination 247M 192G ACCEPT all -- tun0 any anywhere anywhere 0 0 ACCEPT all -- tun0 eth0 anywhere anywhere state RELATED,ESTABLISHED 178M 106G ACCEPT all -- eth0 tun0 anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- tun0 any 10.100.2.0/24 anywhere Chain OUTPUT (policy ACCEPT 16M packets, 1047M bytes) pkts bytes target prot opt in out source destination 55959 7717K ACCEPT all -- any tun0 anywhere anywhere # Output of `iptables -t nat -L -v`: Chain PREROUTING (policy ACCEPT 27M packets, 1809M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 11M packets, 605M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5047 packets, 386K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 996K packets, 83M bytes) pkts bytes target prot opt in out source destination 16M 1063M MASQUERADE all -- any eth0 10.100.2.0/24 anywhere Now, the computers in 192.168.4.0/24 (such as Computer B) can connect to the Internet via OpenVPN server 2 prefectly.
But in 192.168.5.0/24, the computers cannot resolve any hostnames. On computer A, ping 8.8.8.8 works fine, and tracert 8.8.8.8 shows it can get to the 8.8.8.8 server via OpenVPN server 1, but nslookup google.com 8.8.8.8 returns Query refused.
Really sorry for such a long post, but I really don't know what to do or what I missed. I'm not a pro of network things, so any specific suggestions and help are appreciated. Thanks!
