Only routing certain traffic through VPN

networking routing vpn openvpn route
10,722

First of all: you won't be able to route traffic to 127.x.y.z anywhere other than the local machine (ok, it might even be possible, but you'd certainly break something else in the process...) so I'd recommend updating the apache config to also listen at the VPN IP (e.g. 10.8.0.1). If that's not an option, you could try one of the options at the end of my answer.

OpenVPN clients should already get a route to the server, in my example something like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.1        10.8.0.53       255.255.255.255 UGH   0      0        0 tun0
10.8.0.53       0.0.0.0         255.255.255.255 UH    0      0        0 tun0

If you want additional routes pushed to the clients, use:

push "route 192.168.10.0 255.255.255.0"

(change the IP/netmask accordingly).

If you want your apache instance to be accessible by hostname (and not just at http://10.8.0.1/), put this in every client's /etc/hosts file

10.8.0.1    servername.domain.example

or set up a DNS server (like dnsmasq <- make sure you disable the dhcp server) and push it to the clients (in your ovpn-conf):

push "dhcp-option DNS 10.8.0.1"

That should do the trick.

Other options

If you're unable to change the IPs apache's listening at, the following approaches come to my mind (but only use them as last resort):

  • SSH port forwarding: Instead of using OpenVPN (or any other VPN server), connect to your server using SSH:

    ssh -L1234:localhost:80 user@servername

    That way the apache instance on the server (listening only at 127.0.0.1:80) will be available at your client at http://localhost:1234/. You'd have to do this on every client, therefore it's probably not suitable if you've got many of them.
    But even then you could set up a dedicated ssh user without shell access and a public key for each client in ~/.ssh/authorized_keys. Keep in mind that the clients may be able to use this as a proxy to the internet or do some other stuff you might not want them to. So it's important to configure sshd correctly.

  • some iptables magic (you'd have to NAT the traffic)
  • some other user space port forwarding or a reverse proxy
Share:
10,722

Related videos on Youtube

n0pe
Author by

n0pe

Updated on September 18, 2022

Comments

  • n0pe
    n0pe over 1 year

    I have a central development server, running a VPN server, and a couple clients that need to connect to it. The server is running Apache, but is only accepting local requests (only listening on 127.0.0.1:80).

    I basically need to force each client connected to the VPN to route traffic to a certain hostname through the VPN and to the local Apache instance.

    For example:

    Client requests google.com -> google.com
Client requests server -> vpn -> server:80

    I know I can push route commands to clients when they connect to the VPN, now I just need to figure out what route to push to make that happen. At least, what is the route syntax/command for the client to add this route themselves?

    • peterph
      peterph about 11 years
      For example something like ip route server/mask via openvpn_server could do. If you wanted to redirect only traffic for specific ports (the :80 in your question), you'd have to play with the packet filtering.
    • n0pe
      n0pe about 11 years
      @peterph: Is that an actual command or just pseudocode? I'm on a mac (one of my clients) and which ip doesn't return anything. I double checked with ubuntu and it seems ip is a linux-only tool. Would there be an equivalent command using the route tool so I can use it on osx?
    • peterph
      peterph about 11 years
      The route has a very similar syntax - something like route add -net server/mask gw openvpn_server. You might need to omit the gw string. See man route for in depth documentation.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenVPN connecting but no internet access on Ubuntu 16.04 / 18.04 / 20.04
Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04
openvpn - How to set client to use local gateway? aka use connection for resources on its network only
OpenVPN without NAT
Yet another routing issue in OpenVPN - Cannot access local machines while on VPN
Peering two sites in a VPN: DIY mode with twin Raspberry Pi
Access Client side LAN on VPN server
Setting up bridged OpenVPN server with single public IP NIC
Routing a particular subnet into a VPN tunnel
Why i can't access computers in LAN behind OpenVPN server?