Force outbound traffic over VPN, but still Allow local connections

Question

I have a linux VM running a VPN client and I want to make sure all new, outbound connections to the internet go over the VPN tunnel, while also allowing local network devices to connect to it. This VM connects to the internet, and it also has to talk to 2 other local VMs. If the VPN goes down, so does the VM's internet connection (but local network still allows connections so I can SSH in and restart services).

OpenVPN creates a tun0 interface and, as I understand it, this is just a virtual adapter that runs over UDP port 1198 via my VM NIC, ens160.

I can get by adding and removing firewall filter rules (make sure dns/ssh/icmp is allowed), but I'm not good enough with networking to design this myself correctly.

• What would be the best way to accomplish this with iptables?
• Would I use the nat table at all, or just filter would be able to accomplish this?
• Do I target outbound connections using tun0, or ens160 over port 1198? or both?
• Is is possible to have the source of the connection be a given service/application?
• Do I also need to enable split tunneling so the LAN connections will work? How?
• Is there anything other than iptables that would be a better solution, in 2022?

I'm usually pretty good at figuring things out on my own, I just need to be pointed in the right direction. Please give explanations or links to helpful docs. Even some keywords I can search for: I couldn't find anything online that was related to my specific needs.

https://serverfault.com/a/403943/976907 This answer is close to what I need, but I don't have a static private IP for my VPN server, the OpenVPN connection is set to a domain name and a port. Also they mention a caveat about routes falling back to default, and my lack of confidence in things networking makes me want more info.

https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway I found this which might be related but I'm not 100% on what a redirect-gateway is and couldn't find a definition that made sense to me.

Answer 1

Sounds like you are in FUD. By default on Linux OpenVPN does NOT override LAN routes (i.e. route with prefix length > 0), even with redirect-gateway or equivalent. (It's more of a Linux nature than an OpenVPN nature.) So it's more or less "split-tunnel" out of the box.

The only case you need solutions like policy routing is that you need the host to reply to certain traffics from the Internet (i.e. from source IP covered by a VPN route such as the new default route) NOT via the tunnel / VPN but the physical NIC / LAN gateway. (Usually this only applies on the case of a VPN client that acts as some server for the public.)

As for the "kill-switch" part of your goal, you really just need to create a chain for -o ens160 on OUTPUT to traverse. There you can add exceptions you need (such as the encapsulated VPN traffics, matched with e.g. -p tcp --dport 1198), and end the chain with a final / fallback DROP rule.

In this case I don't think it matters much whether your VPN server has a "fixed" IP, unless you are a paranoia, that you are concerned that some malware or whatsoever are so specific that they use the exact same destination port of the VPN to leak your data. (The thing is, such concern does not make much sense because what path the malware takes can hardly be relevant to its goal? I mean, malware protection is not exactly a purpose of kill-switch, no?)