Prohibit non-LAN traffic from VPN interface

2

We have a machine running an openVPN client for the sole purpose of being able to SSH to the client while it is connected to a remote network. The VPN is working mostly correctly, but it is routing all traffic through the VPN. To not overload our router with traffic during large file uploads to S3 etc, we would like to route traffic through the VPN only if it's to an address that's on the VPN's network.

Current output of route and ifconfig:

user@host0:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.10.1    0.0.0.0         UG    50     0        0 tap0
default         192.168.1.1     0.0.0.0         UG    100    0        0 eth0
link-local      *               255.255.0.0     U     1000   0        0 eth1
192.168.1.0     *               255.255.255.0   U     100    0        0 eth0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1
192.168.10.0    *               255.255.255.0   U     50     0        0 tap0
user@host0:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:04:4b:a7:fa:e5  
          inet addr:192.168.1.223  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::7a45:f5b1:1b87:c6f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:166634 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11065 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:37358476 (37.3 MB)  TX bytes:985891 (985.8 KB)
          Interrupt:42 

eth1      Link encap:Ethernet  HWaddr 00:0c:8b:90:06:7c  
          inet addr:192.168.2.100  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:8bff:fe90:67c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:4000  Metric:1
          RX packets:34645 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10462790 (10.4 MB)  TX bytes:13440 (13.4 KB)
          Interrupt:132 Memory:50100000-50120000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4953 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4953 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:463022 (463.0 KB)  TX bytes:463022 (463.0 KB)

tap0      Link encap:Ethernet  HWaddr c6:81:e7:8b:58:00  
          inet addr:192.168.10.2  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::c481:e7ff:fe8b:5800/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10199 errors:0 dropped:0 overruns:0 frame:0
          TX packets:409 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:1983982 (1.9 MB)  TX bytes:55419 (55.4 KB)

What would be the appropriate ip route or iptables rule to skip the tap0 interface unless the traffic is to another address on the VPN's subnet?

crypticsymbols

Posted 2018-06-28T16:27:18.463

Reputation: 21

No answers

Asked: 2018-06-28T16:27:18.463

Viewed: 54 times

Active: 2018-06-28T17:40:39.817