Enabling meshnet breaks forwarding rules for masqueraded/forwarded traffic for the lan.

[sprokkel78]

So I'm running this nordvpn gateway (with OPENVPN, which is the nordtun interface) for my local lan by putting these rules in iptables:

$sudo iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o nordtun -j MASQUERADE
$sudo iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
$sudo iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT

At this stage all lan-clients have internet through the nordtun interface. This works flawless.

Now, when I enable meshnet, the next rules are inserted into the FORWARD chain which then in turn
DROPS the FORWARD traffic for the local lan so internet connection is lost to the entire lan:

$ sudo iptables -L FORWARD -vn
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * wlp1s0f0 0.0.0.0/0 0.0.0.0/0 /* nordvpn-exitnode-transient /
22 1264 DROP 0 -- * end0 0.0.0.0/0 0.0.0.0/0 / nordvpn-exitnode-transient /
0 0 DROP 0 -- * * 100.64.0.0/10 169.254.0.0/16 / nordvpn-exitnode-transient /
0 0 DROP 0 -- * * 100.64.0.0/10 192.168.0.0/16 / nordvpn-exitnode-transient /
0 0 DROP 0 -- * * 100.64.0.0/10 172.16.0.0/12 / nordvpn-exitnode-transient /
0 0 DROP 0 -- * * 100.64.0.0/10 10.0.0.0/8 / nordvpn-exitnode-transient /
0 0 ACCEPT 0 -- * * 100.125.63.180 0.0.0.0/0 / nordvpn-exitnode-transient /
0 0 ACCEPT 0 -- * * 0.0.0.0/0 100.64.0.0/10 ctstate RELATED,ESTABLISHED / nordvpn-exitnod>

The second rule is the rule dropping the forward traffic to the lan making internet connection unavailable for the entire lan.

Now I was thinking just INSERTING these rules after meshnet connection

$sudo iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
$sudo iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT

and that works for like 10 minutes, then the FORWARD chain is rewriten again and traffic is blocked again.

Any ideas how to fix this? I'd like to keep and the gateway active and the meshnet connection enabled.

Any help is greatly appreciated.

[sprokkel78]

nordvpn settings
Technology: OPENVPN
Protocol: TCP
Firewall: enabled
Firewall Mark: 0x2
Routing: enabled
Analytics: disabled
Kill Switch: enabled
Threat Protection Lite: disabled
Obfuscate: disabled
Notify: enabled
Tray: enabled
Auto-connect: disabled
IPv6: disabled
Meshnet: enabled
DNS: 192.168.1.100
LAN Discovery: disabled
Virtual Location: enabled
Allowlisted ports:
53 (UDP|TCP)
853 (UDP|TCP)
Allowlisted subnets:
192.168.1.0/24
192.168.240.0/24

[mariusSincovici]

Hi,

thank you for your feedback.

I was able to reproduce it.
Could you also please add the rules for iptables(sudo iptables -S FORWARD) to see that it is the same situation?

Would it work to use meshnet routing from other devices instead?
Thanks

[sprokkel78]

HI, these are the rules in the forward chain when meshnet is enabled.

…

-P FORWARD DROP -A FORWARD -o wlp1s0f0 -m comment --comment nordvpn-exitnode-transient -j DROP -A FORWARD -o end0 -m comment --comment nordvpn-exitnode-transient -j DROP -A FORWARD -s 100.64.0.0/10 -d 169.254.0.0/16 -m comment --comment nordvpn-exitnode-transient -j DROP -A FORWARD -s 100.64.0.0/10 -d 192.168.0.0/16 -m comment --comment nordvpn-exitnode-transient -j DROP -A FORWARD -s 100.64.0.0/10 -d 172.16.0.0/12 -m comment --comment nordvpn-exitnode-transient -j DROP -A FORWARD -s 100.64.0.0/10 -d 10.0.0.0/8 -m comment --comment nordvpn-exitnode-transient -j DROP -A FORWARD -s 100.125.63.180/32 -m comment --comment nordvpn-exitnode-transient -j ACCEPT -A FORWARD -d 100.64.0.0/10 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment nordvpn-exitnode-permanent -j ACCEPT -A FORWARD -d 100.64.0.0/10 -m comment --comment nordvpn-exitnode-permanent -j DROP -A FORWARD -s 100.64.0.0/10 -m comment --comment nordvpn-exitnode-permanent -j DROP -A FORWARD -s 192.168.1.200/32 -m comment --comment "sprokkel DROP TRAFFIC FOR REPEATER" -j DROP -A FORWARD -d 192.168.1.0/24 -m comment --comment "sprokkel FORWARD LAN TRAFFIC" -j ACCEPT -A FORWARD -s 192.168.1.0/24 -m comment --comment "sprokkel FORWARD LAN TRAFFIC" -j ACCEPT -A FORWARD -d 192.168.1.0/24 -o wlp1s0f0 -m comment --comment nordvpn -j ACCEPT -A FORWARD -d 192.168.240.0/24 -o wlp1s0f0 -m comment --comment nordvpn -j ACCEPT -A FORWARD -d 192.168.1.0/24 -o end0 -m comment --comment nordvpn -j ACCEPT -A FORWARD -d 192.168.240.0/24 -o end0 -m comment --comment nordvpn -j ACCEPT It is possible to use another nordvpn client on the lan with meshnet enabled as a work-around. offtopic: I use meshnet on my lan and my phone with 4G when I'm outside the lan to contact my lan-NAS system. Now my nas system doesn't have a nordvpn client so with ssh port forwarding I create a tunnel from the meshnet enabled lan device to my nas system. Now when I'm outside I enable meshnet on my phone and through the meshnet connection I access my nas. That;'s what I use meshnet for.