HOWTO share a VPN connection with MASQUERADE and FORWARD

xcross · June 17, 2020, 3:12am

Hi,
I’m trying to replicate a set up on Fedora I’ve had working for years on Ubuntu 16.04. I want to run an OpenConnect VPN connection on Fedora Workstation and share it with other machines on my home network.

On the Fedora Workstation I set up forwarding and iptables with the following:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -j MASQUERADE
# iptables -A FORWARD -i wlp82s0 -j ACCEPT
# iptables -A FORWARD -o wlp82s0 -j ACCEPT

On the RHEL 7 machine that will share the VPN connection I create a route in the ifcfg file:

# cat /etc/sysconfig/network-scripts/route-ens192
# 9.0.0.0/8 via 192.168.1.254 dev ens192

and add the DNS servers for the VPN network in the interface ifcfg file

$ cat /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens192
UUID=90a84004-e847-4f11-8c81-7ab3e5e58b1b
DEVICE=ens192
ONBOOT=yes
IPADDR=192.168.1.201
PREFIX=24
GATEWAY=192.168.1.1
DNS1=9.0.128.50
DNS2=209.18.47.61
DOMAIN="raleigh.ibm.com dp.rtp.raleigh.ibm.com"
IPV6_PRIVACY=no
PEERDNS=no

With that setup I can ping the DNS servers on the VPN network but host names are not resolved. I took a packet capture on the Fedora workstation to debug “host w3.ibm.com” from the RHEL 7 machine.

$ sudo tcpdump -i wlp82s0 -s0 port 53 -w dns-from-esx1dp2-w3.pcap
dropped privs to tcpdump
tcpdump: listening on wlp82s0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C3 packets captured
3 packets received by filter
0 packets dropped by kernel

The pcap shows the DNS queries from the host command on the other machine coming in and going nowhere:

I captured a ping of the DNS server from that machine and it gets forwarded properly. The pcap shows both request and reply:

I switch to use the setup on my Ubuntu 16.04 machine with a VPN connection by just changing the ifcfg file on the RHEL 7 machine:

# cat /etc/sysconfig/network-scripts/route-ens192
# 9.0.0.0/8 via 192.168.1.254 dev ens192

and the DNS query works. A pcap clearly shows both request and response:

Does anyone have a suggestion of what else to do to debug this setup?

Thanks,
Chris

jpbn · June 17, 2020, 5:01am

@xcross Maybe not the answer you want, just my curiousity, why not a VPN router?
Thanks.

Topic		Replies	Views
Create a VPN gateway on Fedora Ask Fedora vpn	0	413	November 27, 2022
Ip masquerade howto Ask Fedora firewalld , networkmanager , server	1	1023	July 27, 2019
NetworkManager shared and port forwarding/routing Ask Fedora f35 , networkmanager	2	5934	February 3, 2024
Cannot get firewalld to accept Wireguard connections Ask Fedora wireguard , firewalld , f40	4	282	October 30, 2024
Fedora 36 L2TP VPN Ask Fedora f35 , f36 , vpn , networking	3	705	October 9, 2022

HOWTO share a VPN connection with MASQUERADE and FORWARD

Related topics