1

I am searching for a solution to route all traffic from a server through OpenVPN but keep it possible to host applications on the server which can be accessed outside of the local area network.

To be a little more specific: There are two applications hosted on the server. There is one application that binds port 80 and one that binds port 8080. All traffic to and from these services have to go direct, all other traffic has to go through the VPN tunnel.

At the moment, requests are being received directly but not answered when the VPN is running. All services can be reached when I disable the VPN:

Wireshark

How can I configure OpenVPN, for example with an up script, so that these routes will be routed correctly?

An overview of my network interfaces:

lo Link encap:Local Loopback 
inet addr:127.0.0.1 Mask:255.0.0.0 
inet6 addr: ::1/128 Scope:Host 
UP LOOPBACK RUNNING MTU:65536 Metric:1 
RX packets:537169 errors:0 dropped:0 overruns:0 frame:0 
TX packets:537169 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 
RX bytes:147901148 (147.9 MB) TX bytes:147901148 (147.9 MB) 

p4p1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx 
inet addr:192.168.2.201 Bcast:192.168.2.255 Mask:255.255.255.0 
inet6 addr: xxx/64 Scope:Global 
inet6 addr: xxx/64 Scope:Link 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:8062700 errors:0 dropped:180 overruns:0 frame:0 
TX packets:10937639 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:1000 
RX bytes:7942028079 (7.9 GB) TX bytes:12229412785 (12.2 GB) 

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
inet addr:XX P-t-P:XX Mask:255.255.255.255 
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 
RX packets:6382168 errors:0 dropped:0 overruns:0 frame:0 
TX packets:6004894 errors:0 dropped:46397 overruns:0 carrier:0 
collisions:0 txqueuelen:100 
RX bytes:7066816609 (7.0 GB) TX bytes:4808493953 (4.8 GB) 

Routing tables before connection with the VPN:

ip route show
default via 192.168.2.254 dev p4p1
192.168.2.0/24 dev p4p1  proto kernel  scope link  src 192.168.2.201

Routing tables after connection with the VPN:

ip route show
0.0.0.0/1 via 10.124.1.5 dev tun0
default via 192.168.2.254 dev p4p1
10.124.1.1 via 10.124.1.5 dev tun0
10.124.1.5 dev tun0  proto kernel  scope link  src 10.124.1.6
109.201.154.152 via 192.168.2.254 dev p4p1
128.0.0.0/1 via 10.124.1.5 dev tun0
192.168.2.0/24 dev p4p1  proto kernel  scope link  src 192.168.2.201
Laurence
  • 129
  • 2
  • 13
  • http://lartc.org/howto/lartc.rpdb.multiple-links.html You basically have two network connections in your setup. – Zoredache May 02 '16 at 15:30
  • @Zoredache Thank you for your suggestion. It sounds like the right solution, but I have one question: I have three network interfaces. The server has one Local Loopback interface, one local Ethernet interface and one VPN connection. The IP-address of the VPN is dynamic and because of that not known. All the IP-addresses in the resource that you gave are known. How can I configure the routing when there is limited knowledge about the VPN connection, only the interface name of the VPN connection is known? – Laurence May 03 '16 at 06:37
  • It isn't easy. Most of the OpenVPN configuration is pushed from the server, and with options in the configuration OpenVPN can be configured to pass routes, and network configuration information to scripts. You would need to write scripts that populate alternate route tables. I don't have any example scripts or anything to give you though. Sorry. – Zoredache May 03 '16 at 17:16
  • Could you clarify which traffic should be routed into the OpenVPN tunnel? Is this traffic originating directly at the host? – gxx May 04 '16 at 14:40
  • @gf_ I updated the question – Laurence May 04 '16 at 14:48
  • Your question is unclear to say the least. – Tedwin May 04 '16 at 17:38
  • @Tedwin Could you explain what is unclear? – Laurence May 06 '16 at 08:48
  • Show route tables before and after VPN connection and VPN config – Dariusz Bączkowski May 09 '16 at 19:05
  • @ESYSCODER I updated the question – Laurence May 09 '16 at 19:21

4 Answers4

1

Surely it is (possible) — Policy Based Routing they call it.

You can use firewall marking and then leverage ip rule.

enter image description here

LARTC is the thing you're looking to have read thoroughly.

poige
  • 9,171
  • 2
  • 24
  • 50
  • Could you explain how to configure this? I really do not have an idea how to do that. – Laurence May 04 '16 at 14:42
  • @Laurence This is HOWTO on marking "packets": http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html – poige May 04 '16 at 14:47
  • @Laurence This is HOWTO on routing rules: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.html – poige May 04 '16 at 14:49
  • I have to say that I have little experience in how OpenVPN works, but I already tried to send all traffic from a user to my local network interface: http://pastebin.com/89VCenfP (The interfaces do not match the real interface names). That does not work, all traffic sent by that user does not reach its destination. I guess that it is the same principle. But I am going to take a look at those links – Laurence May 04 '16 at 14:51
  • Well, it all depends on what you're aiming to reach. If you need to have this done, you can hire someone. If you need to have done this, you should study how things work. No other known way. Guessing won't do, I can add. – poige May 04 '16 at 14:56
  • I know how to configure rules. But in my experience, this suggestion does not work when the OpenVPN server sends a redirects all traffic rule. So could you explain how to configure this? You did not cover bypassing the pushed OpenVPN configurations for instance. – Laurence May 06 '16 at 10:49
  • What rules? :) There's no such thing as "a redirects all traffic rule" that OpenVPN server would send. You didn't either read the links I gave you or understand them. – poige May 06 '16 at 10:53
  • "On OpenVPN usually the server "decides" this for you: It can be configured to tell clients to send all their traffic (by default) through the VPN - which makes sense e.g. if the VPN is used to secure your internet connection." source: http://askubuntu.com/questions/383774/how-do-i-configure-which-programs-go-through-the-openvpn-tunnel – Laurence May 06 '16 at 10:55
  • "Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy. On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:" Source: https://openvpn.net/index.php/open-source/documentation/howto.html#redirect – Laurence May 06 '16 at 11:05
  • It's not "redirect all traffic" rule. Moreover, the rules I told you about are ip routing rules, that Linux kernel supports. Look, I told you before about 2 choices you have. ;) – poige May 06 '16 at 11:47
  • From the OpenVPN manual: "redirect-gateway: Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN". The answer that you posted does not answer the question that I asked. Please update your answer or remove it. Your answer is not helpful to anyone with the same problem and cannot be used to solve the whole issue. – Laurence May 06 '16 at 12:19
  • You're citing wrong manual. I gave you two links, none of them refers to openvpn's site. ) – poige May 06 '16 at 16:27
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/39400/discussion-between-laurence-and-poige). – Laurence May 06 '16 at 17:02
1

I had the same issue as you had. You have to disable rp_filter and redirect all traffic with destination port 80 and 8080 to your normal interface.

Disable reverse path filtering

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

We are going to use table 100. Make sure it is not used by anything else! We are going to flush it

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

Create the table for all connections (Not the VPN tunnel)

ip route show table main | grep -Ev ^default | grep -Ev tun0 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via 192.168.2.254
ip rule add fwmark 1 table 100 
ip route flush cache

Bypass port 80 and 8080

iptables -t mangle -A PREROUTING -i p4p1 -p tcp -m multiport --dports 80,8080 -j MARK --set-mark 1
Orophin
  • 391
  • 1
  • 3
0

You can ignore or override pushed from server redirect-gateway option. https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

Ignoring redirect-gateway

If you are running OpenVPN as a client, and the server you use is using push "redirect-gateway" then your client redirects all internet traffic over the VPN. Sometimes clients do not want this, but they can not change the server's configuration. This page explains how to override redirect-gateway so the client does not need to redirect internet even though the server says to. Method 1: ignore

There are 2 options that can be used to ignore routes pushed by the server:

--route-noexec Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.

--route-nopull When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

Method 2: override

Here we will simply add routes that override --redirect-gateway. This will work much like the def1 flag to --redirect-gateway works. This can be different if the server uses the def1 flag to the --redirect-gateway option or not (by checking the log while connecting). Note that net_gateway is an internal variable to openvpn and does not need to be changed to anything. If you do not know if your server uses def1 and do not want to check the logs to figure it out, just assume they DO use def1 and use the 4 routes. That will work no matter what.

def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.

If the server DOES NOT use def1 add the following options to the clients config:

route 0.0.0.0 128.0.0.0 net_gateway route 128.0.0.0 128.0.0.0 net_gateway

If the server DOES use def1 or if you do not know, add the following options to the clients config:

route 0.0.0.0 192.0.0.0 net_gateway route 64.0.0.0 192.0.0.0 net_gateway route 128.0.0.0 192.0.0.0 net_gateway route 192.0.0.0 192.0.0.0 net_gateway

Then traffic coming from outside will go via normal gateway and traffic from VPN subnet will go to VPN. If behind VPN subnet are other networks you will have to add routes for them manually.

route 10.0.0.0 255.255.255.0 vpn_gateway

  • And how can I redirect all traffic for the services on port 80 and 8080 to the vpn_gateway? When I add my local network, all traffic will go to the vpn_gateway because OpenVPN and the services are installed on the same server. – Laurence May 09 '16 at 18:31
-1

I believe the right solution will be Split tunneling, or is what I will do in a client workstation, but your situation is a little different, because there is a server: is possible add a second network interface?

In that case you can route all your VPN traffic by the first interface, and yet let your service listening by the second one.

HEDMON
  • 477
  • 3
  • 17
  • The server has only one physical network interface and another party hosts the VPN server. At the moment, I configured a VPN client. Extern users cannot connect to the network service when the VPS is running. The service can only be reached when I disable the VPN. – Laurence May 02 '16 at 13:36
  • Did you try split tunneling? I always saw it in client workstations, so I'm not complete sure if using it will let your clients reach the server. Can you add another network interface to the server? I guess this will be the most easy and quickly solution – HEDMON May 02 '16 at 13:40
  • OpenVPN doesn't have a split tunneling option that magically deals with the routing for you. – Zoredache May 02 '16 at 15:34
  • Who told about 'magically'? – HEDMON May 03 '16 at 05:05