IPTABLES routing syntax question

[Bosse_B]

I am trying to set up an RPi4 box to act as an OpenVPN server, which I have done many times before successfully.
But all of these times I have had the RPi attached by wired Ethernet and this time it needs to be using WiFi but also if available using wired Ethernet. This complicates the IPTABLES setup for me since I am using my notes from way back when I started using these OVPN servers on RPi units in 2013...

So, what I have now is this:

Code: Select all

sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.13.0/24         anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

This looks fine especially the "destination anywhere" item...
But when I use iptables-save to see what is actually used to set this on boot:

Code: Select all

sudo iptables-save
# Generated by xtables-save v1.8.2 on Sat Mar  7 10:16:12 2020
*nat
:PREROUTING ACCEPT [2401:259371]
:INPUT ACCEPT [2400:259041]
:POSTROUTING ACCEPT [402:34785]
:OUTPUT ACCEPT [402:34785]
-A POSTROUTING -s 10.8.13.0/24 -o wlan0 -j MASQUERADE
COMMIT
# Completed on Sat Mar  7 10:16:12 2020

My problem is that in order for the routing to be set up on boot I am using iptables-persistent, which I installed via apt.
This uses the iptables-save output as input (saved to a file in /etc/iptables/).
And it specifically defines using wlan0 as the output interface....

So it works fine as long as I have it connected by WiFi, but how can I set this up so it will also work if I have connected the RPi by wired Ethernet?
I would like the box to be possible to connect either way on the target location.

[epoch1970]

It is my understanding that adding another masquerade rule, identical to the first one except with “-o eth0” will make iptables masquerade traffic coming out of either interface.
It is no problem to have multiple masquerade rules, as with any other firewall table

[Bosse_B]

It is my understanding that adding another masquerade rule, identical to the first one except with “-o eth0” will make iptables masquerade traffic coming out of either interface.
It is no problem to have multiple masquerade rules, as with any other firewall table

OK, but I was just wondering if the presence of a rule targeting wlan0 when the active connection is to eth0 would make outgoing traffic from the tunnel exit through the wrong interface (using the non-connected interface and therefore fail)?
If I change the rule to look like this instead:

Code: Select all

-A POSTROUTING -s 10.8.13.0/24 -j MASQUERADE

This means not specifying the outgoing interface at all?

[epoch1970]

I'm not sure omitting "-o" would work?

Iptables' POSTROUTING chain, as it name implies has no effect on routing. It comes after route selection, as you can see in the drawing there.

So if you have 2 "-o interface" masquerade rules, one or the other would be applied each time, according to prior routing/filtering decisions

[Bosse_B]

Thanks,
I have now added the eth0 interface as well so it looks like this when using iptables-save:

Code: Select all

sudo iptables-save
# Generated by xtables-save v1.8.2 on Sat Mar  7 16:32:10 2020
*nat
:PREROUTING ACCEPT [3:467]
:INPUT ACCEPT [3:467]
:POSTROUTING ACCEPT [2:136]
:OUTPUT ACCEPT [2:136]
-A POSTROUTING -s 10.8.13.0/24 -o wlan0 -j MASQUERADE
-A POSTROUTING -s 10.8.13.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Mar  7 16:32:10 2020

If I understand correctly this will mean that the kernel will decide which interface to use depending on connection state.
Probably if both are connected it will select the one listed first?
This might happen if I connect the RPi4 by Ethernet cable because its wpa-supplicant.conf file has entries for all of the WiFi networks in my home, my phone hotspot, my summer home and our children's homes...

Unless of course Raspbian does not trigger a WiFi connection if it has connected by Ethernet cable.

[epoch1970]

Routing decides.
If 2 interfaces are up and offer identical routes, the route with the lowest metric value is chosen.
On Raspbian on a Pi with Ethernet and WiFi builtin, usually you can see eth0 with a metric of 202 and wlan0 with a metric of 303. For identical routes, Ethernet is preferred over WiFi.

If routes are not identical, the route with the longest prefix is preferred. E.g. trying to reach 192.168.0.1 given a route A to 192.168.0.0/24 and a route B to 192.168.0.0/29, the kernel will choose route B, hence the interface attached to it.