PrivateInternetAccess - Tunneling entire network

Hardware Hub Networking
1

Hi,

I have a small network of virtualbox VMs on my PC that I’d like to tunnel trough PIA all at once.

But I don’t really see any drop-in solution on the internet.

One option would be to install AlpineLinux in a VM, and use OpenVPN and plain IPTables to tunnel that network, but there should be a better option, right?

So, anyone have any experience with maybe ipFire in that configuration? I honestly don’t know what should I use.

P.S
I’d like this thing to be as easy to setup and consistent between different hosts as possible (I will probably run similar VM for tunneling on a few other hosts, and I don’t want to troubleshoot every time I have to install this thing).

2

I’ve done something similar for years, basically just setup my VPN client, iptables rules to forward packets, and then set default routes for my workplace to go through that host in my router. I’m sure there are easier solutions, prebuilt docker containers and such these days.

3 Likes
3

Hm, so how do I set tun device that is forwarding everything trough PIA?

These openVPN files provided by PIA are tunneling everything trought the new tun device, right?

4

Snippet of my script is here:

https://pastebin.com/4T8Q6ABj

It uses vpnc, the Cisco IPsec client, so you’ll need to adapt it to openVPN or wireguard or whatever.

Again I’m not saying this is the best way to do it, it’s just the way I hacked it together many years ago.

1 Like
5

What specifically are you trying to access from your home network? You could just do dynamic SSH tunnel.

In my older post I had a small guide for this.

6

Not my home network, I’m talking only about a local network on the HostOS.

Let me explain this a little better:

                    Host OS
+---------------------------------------------------------+            +-------------------+
|                                                         |            |    Router         |
|                                                   +------------+----->                   +------------->
|   +-------------+       +----------------+        |     |      |     |                   |
|   |   VM #1     |       |     VM #2      |        |     |      |     |                   |
|   |             |       |                |        |     |      |     +-------------------+
|   +----+--------+       +---+------------+        |     |      |
|        |                    |                     |     |      |
|        |                    |                     |     |      |
|        |                    |                     |     |      |
|        |                    |                     |     |      |
|        |          +---------v-----------+         |     |      |
|        |          |                     |         |     |      |
|        +----------> AlpineLinux Gateway +---------+     |      |
|                   |                     |               |      |
|                   +---------------------+               |      |
|                                                         |      |
|                                                         |      |
|                                                         |      |
+---------------------------------------------------------+      |
                                                                 |
+---------------------------------------------------------+      |
|                                                         |      |
|          Other computers on the network                 |      |
|                                                         +------+
|                                                         |
+---------------------------------------------------------+

VM #1 and VM #2 are in the same network, can talk to each other directly, and etc.

AlpineLinux is acting as their gateway to the internet, the only purpose of this VM is to transfer packets from eth1 to tun0(which is OpenVPN device that tunnels everything trough PIA servers). eth0 is the “output” device that VM #1 and #2 can’t send packets trough, they are not even aware that there is any VPN on AlpineLinux.

VM#1 and VM#2 should have no access to anything on my network that is beyond eth0 on AlpineLinux.

Eh… ? How does this even apply here? I mean, I use this option to access database servers behind firewalls, but how could someone even use this here?

7

Would a socks5 proxy work here? I keep a docker image running for this purpose, and use system or browser proxy settings to tunnel through it. dunno exactly how secure it is, but it is relatively simple to set up.

8

If alpinelinux is your gateway, then you simply setup routes on the gateway to route traffic from eth1 to tun0.

9

If I understand your alpinelinux gateway (ALG) VM, VM 1 & 2 are on connetced to ALG’s eth0, ALG’s eth1 connects to the rest of your lan and there is a tun device on ALG created by openvpn that is connected to PIA. If that’s the case, then just set the default route of ALG to use the peer address of its tun device.

A redirect-gateway command in your openvpn config will do that automatically, but if you want to do it manually, after your tun device is created:

add a route to PIA’s server through ALG’s default gateway:

ip route add (PIA IP)/32 via (ALG's current def gatway) dev eth1

remove ALG’s current default gateway:

ip route del default

set your tun device as ALG’s default gateway:

ip route add default via (tun's peer address probably 10.8.0.5) dev tun0

No need to use iptables, but now all traffic forwarded through and originating from ALG will go through the VPN.

1 Like
10

So, I’ve setup the NAT as I normally would first with the eth0 to see if it’s working.

It was, then I “configured” (actually just ran with default config from PIA) openvpn… aaand… my NAT doesn’t work anymore.

I tried adding “route-nopull” to the openvpn config and changing the NAT to tun0 but it’s not working either.

Here is the AlpineLinux VM network config:

And here is link to openvpn config files I was using:
https://www.privateinternetaccess.com/openvpn/openvpn.zip

I’ve found this link in this article:
https://www.privateinternetaccess.com/helpdesk/guides/desktop/linux/linux-openvpn-terminal-connection

And it’s worth noting that VPN connection is working on the AlpineLinux (obviously when opvpn is pulling routes) perfectly fine.
It’s a problem with the NAT configuration, traceroute just stops on 172.16.0.1

Any ideas?

11

Without seeing your entire config,

I’ve setup the NAT as I normally would first with the eth0 to see if it’s working. It was … And it’s worth noting that VPN connection is working on the AlpineLinux"

makes me think that you are not SNATing the traffic from VM 1 and 2 before they get routed over ALG’s tun. So ALG faithfully routes your traffic to PIA, but PIA’s router sees your internal lan IPs and of course drops the traffic.

So after you create the tun device and change the default route, add:

iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source (your tun devices IP, not it's peer IP)

or you could use -j MASQUERADE for brevity if the performance hit is not an issue.

12

If SNATing the tun traffic doesn’t solve your problem, a commonly overlooked issue is the rp_filter. You could turing it off (1) or permissive (2):

echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

edit: off is 0 not 1

13

What I posted (cat /etc/network/interfaces) is my entire network configuration on the alpine linux VM, and it is using -j MASQUERADE

It doesn’t matter if I tunnel tun0 or eth0 when openvpn client with route pulling enabled is running, the NAT doesn’t work.

14

Does everything work as you would expect before you startup openvpn? Or can VM1 & VM2 connect to the “outside world” before you startup openvpn?

15

That posted config is using eth0 as the “outside world” interface, and before running openvpn client it does work.

Swapping it for tun0 doesn’t change anything - when tun0 is present (when openvpn is running) I can’t connect to the outside world from the NAT’ed VMs.

16

Will you post ALG’s route table (ip route show) before you start openvpn and ALG’s route table after openvpn has initialized and you have finished any other config you do?

17

Here everything works:

And now it doesn’t

image

Edit: Using eth0 as device to the external world, I showed the /etc/network/interfaces before.

And about the “other comnfig” - I showed everything PrivateInternetAccess - Tunneling entire network <- here, with the openvpn configuration that I’m using.

18

That looks fine (I would remove the default route (ip route del default) since your openvpn is set the moral equivalent of a default route with 0.0.0.0/1 via 10.38.10.5; you could add back ip route add default via 10.38.10.5 if you want, but I think that is unnecessary).

I think’s it’s your iptables FORWARD rules that are getting you. You don’t seem to allow forwarded traffic outbound over tun0. So iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT

You also have to SNAT the traffic leaving tun0. You need both an SNAT for eth0 and and SNAT for tun0. So iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.38.10.6 (or masquerade works fine too)

19

I have no idea what should I change then, should I just add those lines to the config?

After adding those lines I have this in my /etc/network/interfaces

image
image.png721x368 3.75 KB

On boot I get this message:

image

Also, after running openvpn I still can’t access the internet from NAT’ed VMs.

How should my /etc/network/interfaces look like?

20

You have a typo in in the target it’s SNAT no NAT, but also tun0 probably has to exist and 10.38.10.6 has to be reachable, so you have to add that after the tun device is created not at boot.

openvpn has an option to run a script after connection: --script-security 2 --route-up [path to script]