5

I'm trying to configure openvpn so that only traffic from certain processes goes over the vpn, but those processes could connect to anywhere.

I'm trying to do that by having openvpn not do any route configuration (--route-noexec) and having applications explicitly connect to the tun interface (eg: curl --interface tun0 'http://www.ipchicken.com'), but connect() seems to time out.

Is there some other step that I have to do in order to make the tun interface happy?

bobpoekert
  • 263
  • 2
  • 8
  • 1
    Networking simply doesn't work like that. Routes determine the path used, not the interface you have bound to. – Zoredache Jan 15 '13 at 01:53
  • 1
    @Zoredache Hrmm. Then what's the point of `bind` and `connect` having an address argument? Why wouldn't it always be 0.0.0.0? – bobpoekert Jan 15 '13 at 02:01
  • 1
    There are cases where you need a particular source address to be used in request, so that it is permitted through a firewall. This has nothing to do with routing though, it is only about setting the source IP address. – Zoredache Jan 15 '13 at 02:03
  • @Zoredache So then I guess I need to add a route based on source address? Ie: "If your source address is 10.1.1.1, you route through tun0". – bobpoekert Jan 15 '13 at 02:06
  • @rabidsnail: That would definitely be one way to do it. You could have a loopback interface (or alias) that is never the default source address. Picking that source address could trigger routing table rules that send traffic over the VPN. – David Schwartz Jan 15 '13 at 09:20

2 Answers2

2

You can achieve it by using a different routing table for packet coming from your tun0 interface.

# ip route add $VPN_NETWORK dev tun0
# ip route add default via $VPN_GATEWAY_IP table 1
# ip rule add iif tun0 table 1

The first route goes into the default table (table 254), the 2nd goes into table 2, the third line bind packets from the tun0 interface to the 2nd routing table, you can give this table a name in /etc/iproute2/rt_tables:

# echo '1 vpn' >> /etc/iproute2/rt_tables

If your VPN Gateway is 10.8.0.1/16, you will have to type:

# ip route add 10.8.0.0/16 dev tun0
# ip route add default via 10.8.0.1 table vpn
# ip rule add iif tun0 table vpn

This is called Policy Routing and you must have CONFIG_IP_MULTIPLE_TABLE enabled in your kernel configuration for this to work.

1

route-nopull

http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html

When used with --client or --pull, accept options pushed by server EXCEPT for routes. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

So add route-nopull to your OpenVPN config file. I wrote a post on how to use an OpenVPN VPN with cURL/PHP.

georgiecasey
  • 169
  • 5
  • 2
    This does not explain how to route traffic over the tunnel on a **process level**. Your post just explains how not to pull certain settings from the server (routes in this case) and does not interfere with routes set for specific processes on the host. – gertvdijk May 10 '15 at 16:32