Finally, to my problematic I found a solution inspired from:
https://lartc.org/howto/lartc.rpdb.multiple-links.html .
Here is how to proceed.
To configure the routing of the server so that it is attainable behind a VPN client, a separate routing table ought to be used to avoid an overlap of routing configurations of the two interfaces.
Let <interface>
, <table>
, <ip>
, <gateway>
and <network>
be the interface name, the table, the IP address of <interface>
, the gateway's IP address, and the IP address of the network (that provided by the ISP), respectively.
The procedure to follow is:
Creation of the specific routing table of <interface>
: creating the new table <table>
in /etc/iproute2/rt_tables
.
Setting a different routing configuration for the interface associated to <gateway>
by means of a specific table.
The traffic towards <network>
is associated to the interface <interface>
and follows the specific routing table <table>
:
ip route add <network> dev <interface> src <ip> table <table>
Building a default route via this gateway:
ip route add default via <gateway> table <table>
On <interface>
, forcing the traffic from <ip>
passing through <network>
, to use the interface <interface>
:
ip route add <network> dev <interface> src <ip>
The src
argument is specified to make sure the right outgoing IP address is chosen.
Associating the interface to the appropriate <network>
:
ip rule add from <ip> table
Key idea:
The key idea to understand, concerning why to use this technique here, is that for any request passing through the ISP node, here <network>
, the latter will be an intermediate node of the response's route. This seems obvious, but forgetting it leads to not understand why <network>
does matter in the routing configuration of the interface normally used to communicate with the server from outside.
Optional:
Setting the routes for all destinations to pass through <gateway>
instead of through the VPN's gateway. Useful when it is needed to use the VPN only on a case-by-case basis.
Let <vpn>
, and <vpn's gateway>
be the interface name of the VPN (generally tun0
), and the IP address of the VPN's gateway, respectively. Then, the routes for any destinations passing through the VPN, more accurately its gateway <vpn's gateway>
, have to be replaced by routes passing through <gateway>
:
ip route del 0.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 0.0.0.0/1 via <gateway> dev <interface>
ip route del 128.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 128.0.0.0/1 via <gateway> dev <interface>
0.0.0.0/1
stands for IP addresses ranging from 0.0.0.1
to 127.255.255.255
, and 128.0.0.0/1
from 128.0.0.1
to 255.255.254
.
Voilà.