sending tun/tap packets to destination server

Question

how can I send the read packet from tun to the server? I checked the packets by Wireshark and all of them was DNS request and changed the default gateway of my system to the IP of my VM and all packets goes there. the tun works good and I can print everything about packets but the problem is I don't know how to forward them to the destination server. (i know socket programming)
the code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <assert.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <netdb.h>
#include <fcntl.h>
#include <signal.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/ip.h>
#include <arpa/inet.h>
#include <netinet/in.h>

struct sockaddr_in Packet, dest;

#define Tun_Device "tun0"

static int max(int a, int b){
    return a > b ? a : b;
    }

int read_tun(char *name, int type){
    struct ifreq ifr;
    int tun_fd;
    tun_fd = open("/dev/net/tun", O_RDWR)
    memset(&ifr, 0, sizeof(ifr));
    ifr.ifr_flags = type;
    strncpy(ifr.ifr_name, name, IFNAMSIZ);
    ioctl(tun_fd, TUNSETIFF, (void *)&ifr);
    return tun_fd;
    }

int main(){ 
    int tun_fd, packet_length, tcpfd;
    struct sockaddr_in cliaddr, servaddr;
    char buffer[2048];
    char destination[16];
    int i = 0;
    struct iphdr *iph = (struct iphdr*) buffer;
    tun_fd = read_tun(Tun_Device, IFF_TUN | IFF_NO_PI);
    while (1) {
        fd_set readset;
        FD_ZERO(&readset);
        FD_SET(tun_fd, &readset);
        FD_SET( , &readset);
        int max_fd = max(tun_fd, udp_fd) + 1;
        select(max_fd, &readset, NULL, NULL, NULL)
        if (FD_ISSET( , &readset)) {
            }

        if (FD_ISSET( , &readset)) {
            }
        }
    }

Answer 1

Your default gateway must activate IP forwarding and you need to set corresponding iptables rules.

From gateway machine, you need to:

# Turn on IPv4 forward
sudo sysctl net.ipv4.ip_forward=1

# Add MASQUERADE rule
iptables -t nat -I POSTROUTING -s x.x.x.x/y ! -o tun0 -j MASQUERADE

# Allow forwarding
iptables -t filter -I FORWARD -d x.x.x.x/y -j ACCEPT
iptables -t filter -I FORWARD -s x.x.x.x/y -j ACCEPT
iptables -t filter -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Note

• Adjust the x.x.x.x/y with your TUN/TAP network subnet.
• Adjust the tun0 with virtual network interface name you use.

---

Default Gateway setting for client

You still need to communicate with your internet router when you override any traffic to virtual network interface, because you need to send encapsulated packet to VPN server.

In order to do that, you should not delete your default route that is going via your physical router.

The rule is simple:

• Packet which its destination/source is VPN server IP address must be sent/received via physical router.
• Other packets must be sent/received via virtual network interface.
• Plus you may want to make some exceptions for local network if you have any.

Config example

VPN_IFACE=tun0
VPN_PRIVATE_IP=10.8.8.2
VPN_GATEWAY_IP=10.8.8.1
VPN_BROADCAST_IP=10.8.8.25
VPN_PUBLIC_IP=123.123.123.123
REAL_DEFAULT_IP=192.168.1.1

# Raise up virtual network interface
sudo ip link set dev $VPN_IFACE up mtu 1480
sudo ip addr add dev $VPN_IFACE $VPN_PRIVATE_IP/24 broadcast $VPN_BROADCAST_IP

# Encapsulated packet must be routed via your real router.
sudo ip route add $VPN_PUBLIC_IP/32 via $REAL_DEFAULT_IP

# Override any traffic, except for encapsulated packet
# Make them routed via virtual network interface gateway
sudo ip route add 0.0.0.0/1 dev $VPN_IFACE via $VPN_GATEWAY_IP
sudo ip route add 128.0.0.0/1 dev $VPN_IFACE via $VPN_GATEWAY_IP

# Don't delete default route to your real physical router!