Basic NAT for non UCI interface

faxloop · November 17, 2023, 10:02am

I am using a package that creates a network interface, vpn0, and need to NAT/masquerade the traffic on this interface using something like:

iptables -t nat -A POSTROUTING -o eth0.2 -j MASQUERADE
iptables -A FORWARD -i eth0.2 -o vpn0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vpn0 -o eth0.2 -j ACCEPT

With well-supported software like wireguard, this can be easily done without manually writing firewall rules by assigning the VPN interface to the LAN zone. Unfortunately, this VPN interface does not appear in LuCI, so this is not an option.

What would be the best way to accomplish this? I tried translating the above rules with iptables-translate, but in each case, it seems I am missing a table or chain. Also, I assume it would not be enough to just 'translate' the old iptables rules. I'd have to write rules that integrate with the existing ruleset.

An easier option, if it were possible, would be to somehow make the VPN interface appear in LuCI/UCI. I'm unclear as to how difficult this would be.

I am running the stock OpenWrt firewall rules with minimal changes.

I'm all ears on how best to achieve this.

jow · November 17, 2023, 10:06am

Easiest solution is declaring a new firewall zone, but using a raw device selector instead of attached networks.

# this declares a zone container referencing "vpn0" and sets up the usual nat machinery
config zone 
  option name myvpn
  option device vpn0
  option input reject
  option output accept
  option forward reject
  option masq 1

# this allows unsolicited lan->myvpn (iptables -A FORWARD -i eth0.2 -o vpn0 -j ACCEPT)
# and established/related replies
config forwarding
  option src lan
  option dest myvpn

If you do not require specific handling of VPN you could even just add option device vpn0 to the existing wan zone, it would then inherit the standard wan policies.

mk24 · November 17, 2023, 4:20pm

The old way, which is no longer needed now that firewall option device exists, was to create a stub interface which only exists to attach an interface name to a device name.

/etc/config/network

config interface 'vpn'
    option device 'vpn0'
# OR really old syntax
    option ifname 'vpn0'
    option proto 'none'

Then network vpn can be included in a firewall zone.
This often appears in old instructions for OpenVPN. Do not use any of this in new releases.

faxloop · November 17, 2023, 5:27pm

This is exactly what I needed. Thanks.

system · November 27, 2023, 5:28pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.