2
I have a VPN connection (implemented via Open VPN) but am trying to route traffic to certain IPs / domains around it, so they just use my naked internet connection. From my research it looks like the best way to do this is with routing tables. None of the examples I've found have worked so I'd like to actually understand what's going on to troubleshoot more effectively.
When I run "route" with the VPN off, it looks pretty sensible:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 1 0 0 eth1
I suspect the first line sets default behaviour - we route via the gateway. If the destination is anywhere on the 192.168.1.* range / my internal network, the second line asserts a gateway of * (I guess this means use the default from the line above - but if I had a network spanning multiple octets, I could use this to channel certain blocks to certain gateways).
My expectation was that when I turn the VPN on,this would stay more or less the same but my gateway for "default" would shift to some wizardly VPN IP.
If this understanding is correct, I just need to add the IP I want to bypass the VPN as the destination, my actual router (192.168.1.1) as the gateway and things will work well (if the syntax for this is simple I'd love to see it).
Once I turn the VPN on, however, things get messy and I start to question my knowledge:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.172.1.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
10.172.1.1 10.172.1.5 255.255.255.255 UGH 0 0 0 tun0
10.172.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.172.1.5 128.0.0.0 UG 0 0 0 tun0
168.1.6.15 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
What is going on here? Can someone explain what these additional lines are and why they appear / disappear as I toggle the vpn?
Thanks for any suggestions! I have encountered a few "what is a routing table" articles but I think they're written for people much smarter than me - I'm still very new to Linux and would love some idiot proof advice :)
What an answer! This is brilliant, thank you so much. Let me digest and hopefully this will get me the rest of the way without any clarifying questions... watch this space. – penitent_tangent – 2015-10-19T21:43:42.473
Thanks! But with the remote LAN rule, how would I contact another machine, say 10.172.1.123 ? Will it still have to use 168.1.6.15 ? If not, how do I go outside ? – trogne – 2017-09-13T15:58:52.547
@trogne Sorry to be a stickler for the rules, but the site rquests that you ask a new question in anew post. If you do, I will be happy to answer your question! – MariusMatutiae – 2017-09-13T16:26:17.477
@MariusMatutiae Great, I've posted a new question (#1250118) – trogne – 2017-09-13T21:06:37.540
I don't follow the routing sequence in your
8.8.8.8
example. I agree Rule #1 applies first, which leaves us needing a route to10.172.1.15
. But I would think that Rule #4 applies here (destination address matches exactly), and with a gateway of0.0.0.0
, the packet just gets sent throughtun0
, end of story. I really don't get how Rule #3 and Rule #6 get triggered. Rule #3 has the ...15 address as the Gateway — why would that match? And if it did match, why would we then start looking at ...1 (the Destination address in the rule). It's as though source/destination got swapped? – jwd – 2018-11-26T03:28:48.407