DD-WRT not returning Internet traffic to subnet
I have been struggling with getting my VPN client accessing the Internet when I redirect the gateway through my VPN server.
I discovered that I can contact the Internet gateway inside the VPN, but when I try and hop through to the Internet I never get a response. A bit of packet sniffing showed that the SYNs were being sent, just I never got an ACK.
My Internet router is running on DD-WRT, and whilst it had a static route setup to talk to VPN clients (which worked), Internet traffic wasn't getting back.
Luckily with a bit of troubleshooting with a colleague I got the right words for my Google Kung-Fu and hit on this thread:
The issue comes down to SNAT (Source NAT). When an internal network wants to send data out, a NAT router (as such that is used for most Internet access) will change the source address of the packet and send it out. This way, when packets are returned from the Internet they come to your router, and are not attempted to be delivered to an internal address that doesn't exist on the Internet.
By default, SNAT is only performed on DD-WRT for the LAN network (as setup in the basic settings). If you have any additional subnets the traffic will just vaporise into the ether that is the Internet. To add your network you have to update "iptables" postrouting rules.
As per the thread linked above you can do this with this command:
Pay attention to the back-ticks ` not single quotes ' being used. I'm not sure the technicalities behind this, but they appear to be a way of accessing configuration items on the fly. I this example I've set my second subnet to be 192.168.2.0/255.255.255.0. If you omit the -s option then any subnet will work.
Put this into your firewall startup scrip to ensure it sticks over a reboot.
I discovered that I can contact the Internet gateway inside the VPN, but when I try and hop through to the Internet I never get a response. A bit of packet sniffing showed that the SYNs were being sent, just I never got an ACK.
My Internet router is running on DD-WRT, and whilst it had a static route setup to talk to VPN clients (which worked), Internet traffic wasn't getting back.
Luckily with a bit of troubleshooting with a colleague I got the right words for my Google Kung-Fu and hit on this thread:
The issue comes down to SNAT (Source NAT). When an internal network wants to send data out, a NAT router (as such that is used for most Internet access) will change the source address of the packet and send it out. This way, when packets are returned from the Internet they come to your router, and are not attempted to be delivered to an internal address that doesn't exist on the Internet.
By default, SNAT is only performed on DD-WRT for the LAN network (as setup in the basic settings). If you have any additional subnets the traffic will just vaporise into the ether that is the Internet. To add your network you have to update "iptables" postrouting rules.
As per the thread linked above you can do this with this command:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT -s 192.168.2.0/24 --to `nvram get wan_ipaddr`
Pay attention to the back-ticks ` not single quotes ' being used. I'm not sure the technicalities behind this, but they appear to be a way of accessing configuration items on the fly. I this example I've set my second subnet to be 192.168.2.0/255.255.255.0. If you omit the -s option then any subnet will work.
Put this into your firewall startup scrip to ensure it sticks over a reboot.