How can I configure openvpn to proxy traffic only for processes that bind to the tun interface?

linux iptables openvpn tun policy-routing
5,871

Solution 1

route-nopull

http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html

When used with --client or --pull, accept options pushed by server EXCEPT for routes. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

So add route-nopull to your OpenVPN config file. I wrote a post on how to use an OpenVPN VPN with cURL/PHP.

Solution 2

You can achieve it by using a different routing table for packet coming from your tun0 interface.

# ip route add $VPN_NETWORK dev tun0
# ip route add default via $VPN_GATEWAY_IP table 1
# ip rule add iif tun0 table 1

The first route goes into the default table (table 254), the 2nd goes into table 2, the third line bind packets from the tun0 interface to the 2nd routing table, you can give this table a name in /etc/iproute2/rt_tables:

# echo '1 vpn' >> /etc/iproute2/rt_tables

If your VPN Gateway is 10.8.0.1/16, you will have to type:

# ip route add 10.8.0.0/16 dev tun0
# ip route add default via 10.8.0.1 table vpn
# ip rule add iif tun0 table vpn

This is called Policy Routing and you must have CONFIG_IP_MULTIPLE_TABLE enabled in your kernel configuration for this to work.

Share:
5,871

Related videos on Youtube

bobpoekert
Author by

bobpoekert

Updated on September 18, 2022

Comments

  • bobpoekert
    bobpoekert almost 2 years

    I'm trying to configure openvpn so that only traffic from certain processes goes over the vpn, but those processes could connect to anywhere.

    I'm trying to do that by having openvpn not do any route configuration (--route-noexec) and having applications explicitly connect to the tun interface (eg: curl --interface tun0 'http://www.ipchicken.com'), but connect() seems to time out.

    Is there some other step that I have to do in order to make the tun interface happy?

  • gertvdijk
    gertvdijk about 9 years
    This does not explain how to route traffic over the tunnel on a process level. Your post just explains how not to pull certain settings from the server (routes in this case) and does not interfere with routes set for specific processes on the host.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenVPN with iptables and a tun interface
iptables - how to keep source IP after forwarding?
How do I block every connection except vpn and ssh without endangering the state of my vps?
Load balancing with multiple gateways
OpenVPN routing between different subnets
Cannot open TUN/TAP dev
Connecting two networks using OpenVPN (all computers). Is that possible only from OpenVPN client's gateway or any computer?
OpenVPN Variables Passed via Script
What exactly happens to packets written to a TUN/TAP device?
openVPN and multiple external IP addresses