How to elegantly selectively exclude FreeBSD network traffic from OpenVPN interface by port

1

1

inexperienced sysadmin here.

I'm planning on running a net daemon inside a FreeBSD jail through OpenVPN, but want to be able to SSH directly into the jail and use the daemon's web interface daemon without going through the VPN. As I understand it, an OpenVPN tunnel is normally set up as a default virtual internet interface, and so incoming traffic will go out on the OpenVPN interface by default (which is problematic, as this incurs latency).

I thought "well, obviously, since all of this traffic is leaving on a handful of ports, I'll just redirect those to the non-VPN gateway." I've tried to look for solutions, but almost all of them involve iptables instead of ipfw (which is default for FreeBSD) and solve slightly different problems. And alternate solutions like using multiple default routes to ensure that incoming traffic on any interface is always sent out on the same interface seem far-reaching and require deep knowledge of all tools involved.

Is there an elegant way of ensuring that traffic leaving on specific ports exits on a specified non-default interface using ipfw?

Polygonica

Posted 2014-08-23T09:34:16.970

Reputation: 13

Answers

1

Unless something like Multipath TCP is used, TCP connections won’t ever change their interface. If traffic arrives from remote host A at interface Y, answers will (generally) leave through interface Y, even if the best matching route (to host A) might lead elsewhere. Provided, of course, that interface Y has a route leading to host A.

OpenVPN in its most-used redirect-gateway def1 configuration does not overwrite routes. Instead, it leverages how route matching is done: The most specific matching route is selected. Generally, you’d have a 0.0.0.0/0 route (aka default route) pointing at your internet gateway (or whatever). This route matches everything. More specific routes are usually present too, leading to your local network(s). OpenVPN creates two new routes: 0.0.0.0/1 and 128.0.0.0/1. Again, these routes match everything, but are selected over your previous default route, because they are more specific. Bottom line: Interface Y can still reach “everything”.

Generally, a VPN connection does not hinder incoming traffic on other interfaces. As such, it should work without additional setup.

Daniel B

Posted 2014-08-23T09:34:16.970

Reputation: 40 502

Thanks! I'm curious, though (although I'll take what you say at face value): is there any documentation I can read that would tell me that TCP connections are bound to interfaces? I did some light Googling of relevant documentation but I'm still not sure how I could have predicted that myself. – Polygonica – 2014-08-23T10:03:17.523

It’s by definition: A TCP endpoint is defined by IP address and TCP port. TCP endpoints in a connection are fixed, as a connection is defined by two endpoints. In all but special configurations, every IP interface on a machine has a unique IP address. So unless making a new connection, everything is fixed. – Daniel B – 2014-08-23T10:31:48.880

Asked: 2014-08-23T09:34:16.970

Viewed: 795 times

Active: 2014-08-23T09:49:32.007