Jump to content

Routing issue - Multi AP to Multi VPN


random_dude

Recommended Posts

I am maybe a little crazy but I am  trying to forward network traffic from two differents SSID to two different vps running openvpn.
Why ? Because I have two VPS and I woud like to able to browse the Internet from all my device just selecting a WiFi network.

Sorry for this dirty hack ; the pineapple is  a cool offensive device that I love use but I am trying to configure it as something like a smart defensive device :)

Well, my setup is working well with only one wifi / tun interface. It seems impossible to work that with the two VPN at the same time (openvpn client).
I don't understand why :/ I think it's not a very complicate setup I hope somebody could help me here since you're network experts.

I think it's a routing issue but I am not sure. So my question is the following :
- How can I forward correctly forward the network traffic from my two wifi subnets to each tun / vpn interface at the same time ?


Anyone  can help me to fix this please ? Below few details about my setup :

To simplify this, my setup looks like :

    eth0 (internet link) <===== tun0 <==== wifi-A
    eth0 (internet link) <===== tun1 <==== wifi-B

Note the following statements :
    
 1. My openwrt device get the Internet link with the eth0 interface using DHCP

 2. I created a bridge on my wlan0 interface to be able to broadcast two SSID : (wifi-a & wifi-b)

 3. On wifi-a : a DHCP server is running pool 172.17.42.100-200 gw 172.18.42.1

 4. On wifi-b : a DHCP server is running pool 172.18.42.100-200 gw 172.18.42.1

 5. I have two VPS where I installed openvpn : PublicIP-1 & PublicIP-2

 6. I run on my device two openvpn client to public-IP-1 (tun0) and to public-IP-2 (tun1)

 7. Finally I nated wifi-a subnet to tun0 and wifi-b subnet to tun1 with the following iptables rules :

iptables -t nat -A POSTROUTING -s 172.17.42.0/24 -o tun0 -j MASQUERADE
iptables -A FORWARD -s 172.17.42.0/24 -o tun0 -j ACCEPT iptables -A
FORWARD -d 172.17.42.0/24 -m state --state ESTABLISHED,RELATED -i tun0 -j ACCEPT
         
iptables -t nat -A POSTROUTING -s 172.18.42.0/24 -o tun1 -j MASQUERADE
iptables -A FORWARD -s 172.18.42.0/24 -o tun1 -j ACCEPT iptables -A
FORWARD -d 172.18.42.0/24 -m state --state ESTABLISHED,RELATED -i tun1 -j ACCEPT


Below my interface details :

eth0       inet addr:192.168.0.10 Bcast:192.168.0.255  Mask:255.255.255.0

br-wifi-a  inet addr:172.17.42.1  Bcast:172.17.42.255  Mask:255.255.255.0
br-wifi-b  inet addr:172.18.42.1  Bcast:172.18.42.255  Mask:255.255.255.0

tun0       inet addr:10.8.0.6     P-t-P:10.8.0.5       Mask:255.255.255.255
tun1       inet addr:10.9.0.6     P-t-P:10.9.0.5       Mask:255.255.255.255


My route table :

Destination     Gateway         Genmask         Flags Metric Ref   Use Iface

default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
 
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0

10.9.0.1        10.9.0.5        255.255.255.255 UGH   0      0        0 tun1
10.9.0.5        *               255.255.255.255 UH    0      0        0 tun1
 
[PublicIP-VPS-1]     192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
[PublicIP-VPS-2]     192.168.0.1     255.255.255.255 UGH   0      0   0 eth0
 
172.17.42.0     *               255.255.255.0   U     0      0        0 br-wifiA
172.17.42.0     *               255.255.255.0   U     0      0        0 br-wifiB

172.22.42.0     *               255.255.255.0   U     0      0        0 br-lan

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0


**Quick debug :**

 ping google.com -I tun1  PING google.fr (108.177.119.94): 56 data bytes 64 bytes from 108.177.119.94: seq=0 ttl=43 time=29.665 ms
 ping google.com -I tun0  PING google.fr (108.177.119.94): 56 data bytes 64 bytes from 108.177.119.94: seq=0 ttl=43 time=30.277 ms
 ping google.com -I eth0  PING google.fr (108.177.119.94): 56 data bytes 64 bytes from 108.177.119.94: seq=0 ttl=42 time=17.860 ms ^C

 

Again, I think it's routing issue but I am maybe to much tired to see my mistake. Can you help me to debug this  ?
Thanks for your help guys,

 

 

Link to comment
Share on other sites

 

BTW, I tried to add the following try to create a second routing table for my tun0 interfaces:
 

echo "1 vpna" >> /etc/iproute2/rt_tables
echo "2 vpnb" >> /etc/iproute2/rt_tables

ip rule add from 10.8.0.0/24 dev tun0 table vpna
ip rule add from 10.9.0.0/24 dev tun1 table vpnb

ip route add default via 10.8.0.5 dev tun0 table vpna
ip route add default via 10.9.0.5 dev tun1 table vpnb

 

Link to comment
Share on other sites

15 hours ago, random_dude said:

 

Ok I got the solution. I go to bed. Ping me here if you're interested by this config

I would like to know. Does this constitute as a ping?

Link to comment
Share on other sites

 

Well to fix the setup you will need to implement a "routing policy" 
It's something you can do using ip route

If there's interested people, I will try to take the time make an article/post about the full details of this setup 
But I need time to fix some stuff, I don't like share stuff until it's not perfect (for me) :)

Oh I have two additionally questions  : 

-  I am not an openwrt expert. Is there a way or anybody already try to patch the latest firmware of openwrt on the pineapple ? Is it working ? Is an "hak5' official procedure" exists ? 

- Finally, I have a question about the nano basic : Exist it a way to get an _ethernet_ link using the pineapple nano ? 

Have nice day 

Link to comment
Share on other sites

On 9/27/2017 at 4:00 AM, random_dude said:

Finally, I have a question about the nano basic : Exist it a way to get an _ethernet_ link using the pineapple nano ?

This thread might illuminate: https://forums.hak5.org/topic/41574-eth1-via-usb-ethernet-adapter-a-to-be-continued-how-to/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...