I have a small network of virtualbox VMs on my PC that I’d like to tunnel trough PIA all at once.
But I don’t really see any drop-in solution on the internet.
One option would be to install AlpineLinux in a VM, and use OpenVPN and plain IPTables to tunnel that network, but there should be a better option, right?
So, anyone have any experience with maybe ipFire in that configuration? I honestly don’t know what should I use.
P.S
I’d like this thing to be as easy to setup and consistent between different hosts as possible (I will probably run similar VM for tunneling on a few other hosts, and I don’t want to troubleshoot every time I have to install this thing).
I’ve done something similar for years, basically just setup my VPN client, iptables rules to forward packets, and then set default routes for my workplace to go through that host in my router. I’m sure there are easier solutions, prebuilt docker containers and such these days.
VM #1 and VM #2 are in the same network, can talk to each other directly, and etc.
AlpineLinux is acting as their gateway to the internet, the only purpose of this VM is to transfer packets from eth1 to tun0(which is OpenVPN device that tunnels everything trough PIA servers). eth0 is the “output” device that VM #1 and #2 can’t send packets trough, they are not even aware that there is any VPN on AlpineLinux.
VM#1 and VM#2 should have no access to anything on my network that is beyond eth0 on AlpineLinux.
Eh… ? How does this even apply here? I mean, I use this option to access database servers behind firewalls, but how could someone even use this here?
Would a socks5 proxy work here? I keep a docker image running for this purpose, and use system or browser proxy settings to tunnel through it. dunno exactly how secure it is, but it is relatively simple to set up.
If I understand your alpinelinux gateway (ALG) VM, VM 1 & 2 are on connetced to ALG’s eth0, ALG’s eth1 connects to the rest of your lan and there is a tun device on ALG created by openvpn that is connected to PIA. If that’s the case, then just set the default route of ALG to use the peer address of its tun device.
A redirect-gateway command in your openvpn config will do that automatically, but if you want to do it manually, after your tun device is created:
add a route to PIA’s server through ALG’s default gateway:
ip route add (PIA IP)/32 via (ALG's current def gatway) dev eth1
remove ALG’s current default gateway:
ip route del default
set your tun device as ALG’s default gateway:
ip route add default via (tun's peer address probably 10.8.0.5) dev tun0
No need to use iptables, but now all traffic forwarded through and originating from ALG will go through the VPN.
And it’s worth noting that VPN connection is working on the AlpineLinux (obviously when opvpn is pulling routes) perfectly fine.
It’s a problem with the NAT configuration, traceroute just stops on 172.16.0.1
I’ve setup the NAT as I normally would first with the eth0 to see if it’s working. It was … And it’s worth noting that VPN connection is working on the AlpineLinux"
makes me think that you are not SNATing the traffic from VM 1 and 2 before they get routed over ALG’s tun. So ALG faithfully routes your traffic to PIA, but PIA’s router sees your internal lan IPs and of course drops the traffic.
So after you create the tun device and change the default route, add:
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source (your tun devices IP, not it's peer IP)
or you could use -j MASQUERADE for brevity if the performance hit is not an issue.
That posted config is using eth0 as the “outside world” interface, and before running openvpn client it does work.
Swapping it for tun0 doesn’t change anything - when tun0 is present (when openvpn is running) I can’t connect to the outside world from the NAT’ed VMs.
Will you post ALG’s route table (ip route show) before you start openvpn and ALG’s route table after openvpn has initialized and you have finished any other config you do?
That looks fine (I would remove the default route (ip route del default) since your openvpn is set the moral equivalent of a default route with 0.0.0.0/1 via 10.38.10.5; you could add back ip route add default via 10.38.10.5 if you want, but I think that is unnecessary).
I think’s it’s your iptables FORWARD rules that are getting you. You don’t seem to allow forwarded traffic outbound over tun0. So iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
You also have to SNAT the traffic leaving tun0. You need both an SNAT for eth0 and and SNAT for tun0. So iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.38.10.6 (or masquerade works fine too)
You have a typo in in the target it’s SNAT no NAT, but also tun0 probably has to exist and 10.38.10.6 has to be reachable, so you have to add that after the tun device is created not at boot.
openvpn has an option to run a script after connection: --script-security 2 --route-up [path to script]