Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: 2 default route with VPN

  1. #1
    Join Date
    Oct 2011
    Beans
    47

    2 default route with VPN

    I have a VPN that I would like all traffic to go through except for a few specific ports such as ssh and webmin.

    i have tried to get it working a few times without success.
    here is what i have:

    eth0 Link encap:Ethernet HWaddr 1c:6f:65:c8:94:df
    inet addr:192.168.X.10 Bcast:192.168.X.255 Mask:255.255.255.0
    inet6 addr: fe80::1e6f:65ff:fec8:94df/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:7309513 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8866769 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:4441696327 (4.4 GB) TX bytes:9823820555 (9.8 GB)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:16472 errors:0 dropped:0 overruns:0 frame:0
    TX packets:16472 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2839546 (2.8 MB) TX bytes:2839546 (2.8 MB)

    ppp0 Link encapoint-to-Point Protocol
    inet addr:172.16.XX.XX P-t-P:172.16.XX.X Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
    RX packets:206 errors:0 dropped:0 overruns:0 frame:0
    TX packets:335 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:54772 (54.7 KB) TX bytes:37466 (37.4 KB)

    route -n

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
    0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
    172.16.36.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    195.60.76.223 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0

  2. #2
    Join Date
    Oct 2011
    Beans
    47

    Re: 2 default route with VPN

    No-one has any input?

    I was thinking maybe i can do this through iptables, but i don't know enough about iptables to write something for it.

  3. #3
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: 2 default route with VPN

    You don't tell us the address of the remote PPTPD server, so I'll use 10.1.1.1 as its address. Presumably it has a public Internet address.

    The trick is to tell your computer to use the Internet to reach 10.1.1.1, but to send everything else over the tunnel. Something like this:

    Code:
    ip route add 10.1.1.1/32 via 192.168.0.1
    ip route del default
    ip route add default 172.16.36.1
    Now your computer will send the encrypted traffic to the external PPTP server, but use the tunnel for everything else.

    Adapting this to exclude certain protocols like SSH is tricky. You would probably need some iptables rules for that, since routing doesn't pay attention to ports.

    By the way, there's no need to obfuscate private addresses like 192.168.x.y. No one can reach them from the Internet anyway as they are not publicly routed.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #4
    Join Date
    Oct 2011
    Beans
    47

    Re: 2 default route with VPN

    Quote Originally Posted by SeijiSensei View Post
    You don't tell us the address of the remote PPTPD server, so I'll use 10.1.1.1 as its address. Presumably it has a public Internet address.

    The trick is to tell your computer to use the Internet to reach 10.1.1.1, but to send everything else over the tunnel. Something like this:

    Code:
    ip route add 10.1.1.1/32 via 192.168.0.1
    ip route del default
    ip route add default 172.16.36.1
    Now your computer will send the encrypted traffic to the external PPTP server, but use the tunnel for everything else.

    Adapting this to exclude certain protocols like SSH is tricky. You would probably need some iptables rules for that, since routing doesn't pay attention to ports.

    By the way, there's no need to obfuscate private addresses like 192.168.x.y. No one can reach them from the Internet anyway as they are not publicly routed.
    I basically already have this working where everything leaving out to the internet uses the VPN, but then I lose access to ssh, and webmin, and my other stuff that I would like to keep access to from, it does not need to be over the VPN, just accessible from the internet.

    Is there a way through iptables to force use of an interface for certain protocols.?
    Last edited by Catalyph; December 11th, 2012 at 02:54 AM. Reason: spelling

  5. #5
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: 2 default route with VPN

    Quote Originally Posted by Catalyph View Post
    I basically already have this working where everything leaving out to the internet uses the VPN, but then I lose access to ssh, and webmin, and my other stuff that I would like to keep access to from, it does not need to be over the VPN, just accessible from the internet.

    Is there a way through iptables to force use of an interface for certain protocols.?
    I'm not sure I entirely understand the problem. Are you talking about inbound traffic to your machine over the Internet? From where would you be accessing sshd and webmin, some other machine over the Internet?

    I think you might be able to handle this with port forwarding rules on the router upstream from the Linux box. In iptables you can write a rule which redirects traffic arriving on a specific port to another IP address. I'm not sure that would help in your case, though.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  6. #6
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,699

    Re: 2 default route with VPN

    If you want to send different protocols in different directions, I think you need to set up different routing tables and mark packets as to which forwarding table they should use. Remember that you cannot allow traffic to the VPN end point to travel up the VPN itself so you will probably want a specific route to the VPN server over the internet, adn your default route to poimnt over the VPN. Something like this below shoud pick out SSH packets for special routing. (I've not trid it). Numbers 42 (the routing table number) and 99 (the firewall mark) are numbers I chose at random.

    Code:
    # Make a new routing table with a different default route
    ip route add default via 192.168.0.1 table 42
    
    # Mark packets that need special routing
    iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 99
    
    # Add a rule to use a differnt routing table for marked packets
    ip rule add fwmark 99 table 42

  7. #7
    Join Date
    Oct 2011
    Beans
    47

    Re: 2 default route with VPN

    Quote Originally Posted by The Cog View Post
    If you want to send different protocols in different directions, I think you need to set up different routing tables and mark packets as to which forwarding table they should use. Remember that you cannot allow traffic to the VPN end point to travel up the VPN itself so you will probably want a specific route to the VPN server over the internet, adn your default route to poimnt over the VPN. Something like this below shoud pick out SSH packets for special routing. (I've not trid it). Numbers 42 (the routing table number) and 99 (the firewall mark) are numbers I chose at random.

    Code:
    # Make a new routing table with a different default route
    ip route add default via 192.168.0.1 table 42
     
    # Mark packets that need special routing
    iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 99
     
    # Add a rule to use a differnt routing table for marked packets
    ip rule add fwmark 99 table 42

    I will try this when I get home. But i have a feeling that packet marking is not working. is there something I have to enable for it to work ? I think i tried this and it did not work properly or at all.
    I think it came down to a kernel config option that was not enabled or existing. (UBUNTU 12.10)
    MORE INFO:

    I have DynDNS to my router (Public none VPN IP Address)
    so when i ssh i use the Dynddns address which goes to my router, which in turn forwards the port 22 traffic to the Ubuntu Server.

    When i Start my VPN connection, I dont get the same address everytime.

    I want to be able to have my machine use a VPN for everything except port 22, so I can SSH into the box from the internet using my dyndns address.

    If the VPN is up, I cant because the default route is the VPN connection and the incoming traffic is not from the VPN, It comes in through the router and into Eth0 but then tries to go out the VPN interface.

    If I can make a rule that says
    Traffic coming in from eth0 or 192.168.0.X on port 22 then responding outbound traffic will also go out on that interface and gateway.
    Last edited by Catalyph; December 11th, 2012 at 06:03 PM. Reason: adding and spelling

  8. #8
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: 2 default route with VPN

    If the router masquerades the port-forwarded traffic with its own internal address, say 192.168.0.1, you might try simply adding a specific route to that host:
    Code:
    /sbin/ip route add 192.168.0.1/32 dev eth0
    That might be sufficient, but only empirical testing will tell.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #9
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,699

    Re: 2 default route with VPN

    Hmm, I'm having difficulty finding good documentation on iptables and which filter tables can be used when. But I don't think output packets from the local PC actually pass through the PREROUTING table. I'll try to find out more.

  10. #10
    Join Date
    Oct 2011
    Beans
    47

    Re: 2 default route with VPN

    Quote Originally Posted by SeijiSensei View Post
    If the router masquerades the port-forwarded traffic with its own internal address, say 192.168.0.1, you might try simply adding a specific route to that host:
    Code:
    /sbin/ip route add 192.168.0.1/32 dev eth0
    That might be sufficient, but only empirical testing will tell.

    My home router (D-Link) has a virtual server setting that can pass Outside port to aa specific IP and Port on the internal Network.But i have it set to simply take any inbound (from internet) traffic with port 22 to forward directly to the Ubuntu Box on port 22. So just a basic port forward.

    Code:
    /sbin/ip route add 192.168.0.1/32 dev eth0
    So I guess this is saying add a route to host 192.168.0.1 via eth0? This is already working with the VPN

    When my VPN is up all internal network traffic work fine and ssh is working but only on the internal network, if i turn the VPN off , everything work on internal and on internet.
    Because the Default route changes on the Ubuntu machine when i turn on the VPN (Which I want)
    I only want to be able to specify some ports that can bypass the vpn

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •