0

I have a vpn with OpenVpn on a ubuntu server which works for every connection.

The server config is:

port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/CommonName.crt
key easy-rsa/keys/CommonName.key
dh easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
#push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "topology subnet"
topology subnet
route 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3

My client.conf contains:

client
dev tun
proto udp
remote IP_ADDRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
ns-cert-type server
comp-lzo
verb 3

Currently the server is routing each connection through the vpn connection.

This is done via iptables:

iptables -A FORWARD -o ens3 -i tun0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING  -o ens3 -j MASQUERADE

so, this is fine.

Now i just want to use the vpn connection, if the source destination is example.com. Otherwise not.

So i tried this one:

iptables -A FORWARD -o ens3 -i tun0 -s 10.8.0.0/24 -d example.com -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack -s example.com --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING  -o ens3 -j MASQUERADE

but this, didn't work. i also use the ip address from example.com.

But if i browse to other websites, it will use the vpn connection. I verified this by testing with show my current ip adress services

What i'm doing wrong?

iptables --help shows me

[!] --destination -d address[/mask][...]

Or does it not work for this? How can i fix it?

rob
  • 121
  • 6
  • Possible duplicate of [How to route only specific openVPN traffic through a openVPN based on IP filtering of the destination?](https://serverfault.com/questions/631037/how-to-route-only-specific-openvpn-traffic-through-a-openvpn-based-on-ip-filteri) – Lenniey Mar 06 '19 at 12:02

1 Answers1

2

You need to add rules to your routing table.

ip route add $example.com.ip via $vpn.gateway

For more sophisticated routing you can use iptables to set a mark on the packet and then use ip rule to route based on the mark.

Further, your configuration will add the VPN as a "default" route for everything. You need to remove the redirect-gateway option.

Another thought, if you are doing your testing from the same machine which established the VPN tunnel (the client) then the FORWARD chain is not going to be used at all. FORWARD is not for locally generated packets.

chutz
  • 7,569
  • 1
  • 28
  • 57