2
I have a Debian 9 LXC container with two NIC (eth0 and eth1) in a LAN, hosting a web server listening on eth0. I would like to connect the container to a VPN to retrieve files from some internet websites and serve them through the web server to LAN users. When I connect the container to a VPN I can not access the webserver from LAN anymore.
I am using openvpn on this server with this config file:
setenv USERNAME "myemail@myemailserver"
client
dev tun
remote us-wa-sea-001.privatetunnel.com 443 tcp
remote-cert-tls server
http-proxy 10.20.0.21 3128 user.txt basic
http-proxy-retry
comp-lzo no
auth SHA1
nobind
verb 3
sndbuf 0
rcvbuf 0
socket-flags TCP_NODELAY
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
...certificates...
This is the output of ip route show before connecting to the VPN:
default via 10.20.0.1 dev eth0 onlink
10.20.0.0/24 dev eth0 proto kernel scope link src 10.20.0.113
10.20.0.0/24 dev eth1 proto kernel scope link src 10.20.0.114
And this is the output of ip route show after connecting to the VPN:
0.0.0.0/1 via 10.9.0.1 dev tun0
default via 10.20.0.1 dev eth0 onlink
10.9.0.0/16 dev tun0 proto kernel scope link src 10.9.231.216
10.9.0.0/16 dev tun1 proto kernel scope link src 10.9.230.198
10.20.0.0/24 dev eth0 proto kernel scope link src 10.20.0.113
10.20.0.0/24 dev eth1 proto kernel scope link src 10.20.0.114
10.20.0.21 dev eth0 scope link
128.0.0.0/1 via 10.9.0.1 dev tun0
I have googled about this and found several articles on static routing, but somehow I still can't make it work:
- https://support.hidemyass.com/hc/en-us/articles/202720646-How-to-let-websites-and-IPs-bypass-the-VPN-using-static-routing
- https://www.cyberciti.biz/tips/configuring-static-routes-in-debian-or-red-hat-linux-systems.html
Any idea?
greenLED
Posted 2017-09-28T21:18:18.003
Reputation: 21
What says 'ip route show' when the VPN is active? Normally you want to avoid a default route to tun0 (or whatever interface the VPN defines). If you use the VPN through the NetworkManager, there are options to ignore the routing set up by the VPN and enforce yours. – xenoid – 2017-09-28T21:47:17.133
Use a different network namespace for those processes that use the VPN. – dirkt – 2017-09-29T06:51:20.180
@xenoid I updated the question with 'ip route show' output before and after connecting. I am not using NetworkManager, AFAIK, just 'openvpn --config configfile.ovpn'. I'ts a headless server. – greenLED – 2017-09-29T13:01:36.773
Might be worth posting the contents of
configfile.ovpnthen. – xenoid – 2017-09-29T13:21:37.687@xenoid I added the content of configfile.ovpn to the question and more details about the server setup. – greenLED – 2017-09-29T13:38:13.223
No specialist here. I however notice that if I configure a dummy OpenVPN connection in the Network UI the resulting config file can have lines:
ignore-auto-dns=trueandignore-auto-routes=true(the UI also lets me add routes manually), so you can try to create one with a UI-capable Linux, check that it indeed works on your VPN and see what it passes to theopenvpnprocess. – xenoid – 2017-09-29T14:18:24.250@xenoid good idea! Will give it a shot and share results later. Thanks – greenLED – 2017-09-29T14:55:39.957