Skip to content

Commit

Permalink
Fix 'eth*' not caught in OVPN iptables rule
Browse files Browse the repository at this point in the history
  • Loading branch information
Lymkwi committed Oct 4, 2021
1 parent 0e5c694 commit 2c37cd6
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 6 deletions.
4 changes: 2 additions & 2 deletions README-openvpn.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,11 +173,11 @@ In the next subsection, we go over the technical details of each of these action

As described in the documentation of `iptables`, the `nat` table is consulted whenever a packet creates a new connection. When NAT is enabled at that stage, the remainder of the connection is done under the impression of the external peer (i.e. not our VPS) that it is legitimately talking to the VPS itself, when, in actuality, some packages are emitted by players in the LAN, rise into our VPN tunnels, exit at the VPS, undergo masquerade, and then leave.

Specifically, the `POSTROUTING` chain is called just as packets are about to leave. This makes sense, since we only wish to masquerade packets that openvpn, running on the VPS, emits to the outside world, stemming from data circulating in the tunnels. Moreover, those packets should only be masqueraded whenever they leave the VPS and try and contact the outside world. Since *we are always supposed to make first contact in any connection that transits through OpenVPN*, it makes sense to only masquerade those packets that will leave for the `en+` interface.
Specifically, the `POSTROUTING` chain is called just as packets are about to leave. This makes sense, since we only wish to masquerade packets that openvpn, running on the VPS, emits to the outside world, stemming from data circulating in the tunnels. Moreover, those packets should only be masqueraded whenever they leave the VPS and try and contact the outside world. Since *we are always supposed to make first contact in any connection that transits through OpenVPN*, it makes sense to only masquerade those packets that will leave for the `e+` interface.

All of these requirements explain the following line of IP table rule :
```bash
iptables -t nat -A POSTROUTING -o en+ -j MASQUERADE
iptables -t nat -A POSTROUTING -o e+ -j MASQUERADE
```

What is not explained here is simple `iptables` syntax : the `-t` parameter gives the table (here it's `nat`), the `-A` parameter indicates that we should append to the chain provided (here `POSTROUTING`) and the rest is the rule. Whenever the requirements (that a packet establishing a connection be about to leave for the outside world, the action listed after `-j` is
Expand Down
6 changes: 3 additions & 3 deletions README-wireguard.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ ansible-playbook vpNator-wireguard.yml
```
this playbook prompts you for an action. You can :

1. : Install WireGuard's package (usually, to compile the associated kernel module), set up and configure
1. : Install WireGuard's package (usually, to compile the associated kernel module), set up and configure
2. : Start WireGuard and FireQOS
3. : Stop WireGuard and FireQOS
4. : Remove WireGuard and the other tools.
Expand Down Expand Up @@ -167,11 +167,11 @@ In the next subsection, we go over the technical details of each of these action

As described in the documentation of `iptables`, the `nat` table is consulted whenever a packet creates a new connection. When NAT is enabled at that stage, the remainder of the connection is done under the impression of the external peer (i.e. not our VPS) that it is legitimately talking to the VPS itself, when, in actuality, some packages are emitted by players in the LAN, rise into our VPN tunnels, exit at the VPS, undergo masquerade, and then leave.

Specifically, the `POSTROUTING` chain is called just as packets are about to leave. This makes sense, since we only wish to masquerade packets that WireGuard, running on the VPS, emits to the outside world, stemming from data circulating in the tunnels. Moreover, those packets should only be masqueraded whenever they leave the VPS and try and contact the outside world. Since *we are always supposed to make first contact in any connection that transits through WireGuard*, it makes sense to only masquerade those packets that will leave for the `en+` interface.
Specifically, the `POSTROUTING` chain is called just as packets are about to leave. This makes sense, since we only wish to masquerade packets that WireGuard, running on the VPS, emits to the outside world, stemming from data circulating in the tunnels. Moreover, those packets should only be masqueraded whenever they leave the VPS and try and contact the outside world. Since *we are always supposed to make first contact in any connection that transits through WireGuard*, it makes sense to only masquerade those packets that will leave for the `e+` interface.

All of these requirements explain the following line of IP table rule :
```bash
iptables -t nat -A POSTROUTING -o en+ -j MASQUERADE
iptables -t nat -A POSTROUTING -o e+ -j MASQUERADE
```

What is not explained here is simple `iptables` syntax : the `-t` parameter gives the table (here it's `nat`), the `-A` parameter indicates that we should append to the chain provided (here `POSTROUTING`) and the rest is the rule. Whenever the requirements (that a packet establishing a connection be about to leave for the outside world, the action listed after `-j` is
Expand Down
2 changes: 1 addition & 1 deletion ansible_scripts/vpNator-ovpn.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
- name: Remove IP Table rule for NAT
become: true
become_method: sudo
command: iptables -t nat -D POSTROUTING -o en+ -j MASQUERADE
command: iptables -t nat -D POSTROUTING -o e+ -j MASQUERADE
ignore_errors: true

#- name: Uninstall additional tools
Expand Down

0 comments on commit 2c37cd6

Please sign in to comment.