3

The setup:

I have multiple, static-key OpenVPN client/server configurations, labeled "client1", "client2", and "client3" with server/client IPs 10.10.1.1/10.10.1.2, 10.10.2.1/10.10.2.2, and 10.10.3.1/10.10.3.2, respectively, hosted on one Linux server and one Linux client (with three openvpn processes each, each with a different tunX interface). I have three users on my Linux client machine, user "client1", "client2" and "client3". I have my server setup to do NAT so that incoming traffic from client1 on 10.10.1.2 goes out to the Internet (via -j SNAT in iptables) from one IP, client2 on 10.10.2.2 out another IP, etc.

The problem:

What I don't have is a way for the client Linux machine to properly route traffic from each user to the proper OpenVPN server IP over it's OpenVPN tunnel. Essentially, I am wanting all Internet-destined traffic from client1 to go out one internet-facing IP on the OpenVPN server, traffic from client2 to go out another, and so on and so forth for as many users as I'd like to add. But this must all be done from ONE machine hosting all the different client users. I am aware of an iptables functionality involving marking packets by user ID and then setting up IP routing based on these marks, but I don't know how to actually achieve it.

Are there any iptables/netfilter/etc gurus out there that can help me in this matter?

Improve this question

1 Answer 1

Reset to default
1

You can mark packets via iptables based on the UID of the creating process. You can use this Netfilter mark both for (advanced) routing (ip rule: man ip or man ip-rule; key word "fwmark") and for DNAT. I am not sure which one is easier / better.

Edit 1 For each user:

iptables -t mangle -A PREROUTING -m owner --uid-owner $user -j MARK --set-mark $usermark
# one line in /etc/iproute2/rt_tables (numbers don't matter)
ip route add default via $user_gw_ip dev $user_if src $user_if_local_ip table $user_table
ip rule add type unicast fwmark $usermark priority 100 table $user_table
Improve this answer
4
  • Right, I was aware of the ability to do that by user ID, but what I am seeking is a direct answer and usage on how to achieve what I'm trying to do. I need to route all Internet traffic for each user out of a different OpenVPN tunnel. I have the forwarding setup already on the tunnel server end; I need to set it up on the client. Commented Apr 26, 2013 at 17:43
  • @BrandonEdward Next time ask precise enough that the readers know what you want. Commented Apr 26, 2013 at 18:08
  • I did -- all that is described in the post. But no point in bickering. I think I found a solution, I'm going to test it out and if it's correct I'll post it. Commented Apr 26, 2013 at 23:12
  • @BrandonEdward Don't you get any traffic or is it routed wrongly? What is the output of ip rule list? Commented Apr 27, 2013 at 7:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.