OpenVPN – forward all client traffic through tunnel using UFW

By default OpenVPN only routes traffic to and from the OpenVPN Server. If you need all traffic from a client through the OpenVPN tunnel there are several options listed in the OpenVPN docs (http://openvpn.net/index.php/open-source/documentation/howto.html#redirect). Since I don’t have any control over the server in some cases I needed a client side solution. As I already have ufw running with Ubuntu I wanted to use the existing software.

Here is how to configure ufw to enable routing all traffic from your client machines through the OpenVPNĀ Server.

Forwarding policy

Change default forward policy, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. (Note: This will take effect at next boot).

sudo vim /etc/sysctl.conf

# Enable packet forwarding
net.ipv4.ip_forward=1

UFW config

And then configure ufw in /etc/default/ufw
sudo vim /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

UFW before rules

Change /etc/ufw/before.rules to add the following code after the header and before the “*filter” line. Match the IP/subnet mask to the same one as in /etc/openvpn/server.conf.

sudo vim /etc/ufw/before.rules

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Enable OpenVPN

Open openvpn port 1194
sudo ufw allow 1194

Start UFW

sudo service ufw start

Dropping the wires on the Raspberry PI

Testing the RPi for some remote sensing application I needed to use a wireless connection as it would have been a pain to reach with an Ethernet cable.

Parts

  • Raspberry Pi Series B 512MB
  • Raspbian 3.6.11+ Kernel
  • Comfast 802.11n – Realtek RTL8188CUS WLAN Adapter

Install WPA Supplicant

sudo apt-get install wpasupplicant
See http://en.wikipedia.org/wiki/Wpa_supplicant

Check for the USB adapter

sudo lsusb
This should show output similar to this (depending on your USB adapter)
Bus 001 Device 004: ID 0bda:8176 Realtek SemicondRTL8188CUSuctor Corp. 802.11n WL:AN Adapter

Generate PSK Key

If you want to use the cleartext PSK you could probably skip this step.
wpa_passphrase YOUR_SSID YOURCLEARTEXTWPAKEY
This should show output similar to this:
network={
ssid="YOUR_SSID"
#psk="YOURCLEARTEXTWPAKEY"
psk=c885c4288a0c68b989289586cb075c0ccd1729d2c035820d02ed813fc729f317
}

Edit network configuration

sudo vim /etc/network/interfaces
auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid "YOUR_SSID"
wpa-psk c885c4288a0c68b989289586cb075c0ccd1729d2c035820d02ed813fc729f317

Finish off

sudo shutdown -h now
Unplug ethernet cable
Power up the RPi and you should see another wireless DHCP assignment on the router