Results 1 to 10 of 15

Thread: 2 default route with VPN

Hybrid View

  1. #1
    Join Date
    Oct 2011
    Beans
    47

    2 default route with VPN

    I have a VPN that I would like all traffic to go through except for a few specific ports such as ssh and webmin.

    i have tried to get it working a few times without success.
    here is what i have:

    eth0 Link encap:Ethernet HWaddr 1c:6f:65:c8:94:df
    inet addr:192.168.X.10 Bcast:192.168.X.255 Mask:255.255.255.0
    inet6 addr: fe80::1e6f:65ff:fec8:94df/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:7309513 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8866769 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:4441696327 (4.4 GB) TX bytes:9823820555 (9.8 GB)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:16472 errors:0 dropped:0 overruns:0 frame:0
    TX packets:16472 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2839546 (2.8 MB) TX bytes:2839546 (2.8 MB)

    ppp0 Link encapoint-to-Point Protocol
    inet addr:172.16.XX.XX P-t-P:172.16.XX.X Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
    RX packets:206 errors:0 dropped:0 overruns:0 frame:0
    TX packets:335 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:54772 (54.7 KB) TX bytes:37466 (37.4 KB)

    route -n

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
    0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
    172.16.36.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    195.60.76.223 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0

  2. #2
    Join Date
    Oct 2011
    Beans
    47

    Re: 2 default route with VPN

    No-one has any input?

    I was thinking maybe i can do this through iptables, but i don't know enough about iptables to write something for it.

  3. #3
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: 2 default route with VPN

    You don't tell us the address of the remote PPTPD server, so I'll use 10.1.1.1 as its address. Presumably it has a public Internet address.

    The trick is to tell your computer to use the Internet to reach 10.1.1.1, but to send everything else over the tunnel. Something like this:

    Code:
    ip route add 10.1.1.1/32 via 192.168.0.1
    ip route del default
    ip route add default 172.16.36.1
    Now your computer will send the encrypted traffic to the external PPTP server, but use the tunnel for everything else.

    Adapting this to exclude certain protocols like SSH is tricky. You would probably need some iptables rules for that, since routing doesn't pay attention to ports.

    By the way, there's no need to obfuscate private addresses like 192.168.x.y. No one can reach them from the Internet anyway as they are not publicly routed.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #4
    Join Date
    Oct 2011
    Beans
    47

    Re: 2 default route with VPN

    Quote Originally Posted by SeijiSensei View Post
    You don't tell us the address of the remote PPTPD server, so I'll use 10.1.1.1 as its address. Presumably it has a public Internet address.

    The trick is to tell your computer to use the Internet to reach 10.1.1.1, but to send everything else over the tunnel. Something like this:

    Code:
    ip route add 10.1.1.1/32 via 192.168.0.1
    ip route del default
    ip route add default 172.16.36.1
    Now your computer will send the encrypted traffic to the external PPTP server, but use the tunnel for everything else.

    Adapting this to exclude certain protocols like SSH is tricky. You would probably need some iptables rules for that, since routing doesn't pay attention to ports.

    By the way, there's no need to obfuscate private addresses like 192.168.x.y. No one can reach them from the Internet anyway as they are not publicly routed.
    I basically already have this working where everything leaving out to the internet uses the VPN, but then I lose access to ssh, and webmin, and my other stuff that I would like to keep access to from, it does not need to be over the VPN, just accessible from the internet.

    Is there a way through iptables to force use of an interface for certain protocols.?
    Last edited by Catalyph; December 11th, 2012 at 02:54 AM. Reason: spelling

  5. #5
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: 2 default route with VPN

    Quote Originally Posted by Catalyph View Post
    I basically already have this working where everything leaving out to the internet uses the VPN, but then I lose access to ssh, and webmin, and my other stuff that I would like to keep access to from, it does not need to be over the VPN, just accessible from the internet.

    Is there a way through iptables to force use of an interface for certain protocols.?
    I'm not sure I entirely understand the problem. Are you talking about inbound traffic to your machine over the Internet? From where would you be accessing sshd and webmin, some other machine over the Internet?

    I think you might be able to handle this with port forwarding rules on the router upstream from the Linux box. In iptables you can write a rule which redirects traffic arriving on a specific port to another IP address. I'm not sure that would help in your case, though.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  6. #6
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,702

    Re: 2 default route with VPN

    If you want to send different protocols in different directions, I think you need to set up different routing tables and mark packets as to which forwarding table they should use. Remember that you cannot allow traffic to the VPN end point to travel up the VPN itself so you will probably want a specific route to the VPN server over the internet, adn your default route to poimnt over the VPN. Something like this below shoud pick out SSH packets for special routing. (I've not trid it). Numbers 42 (the routing table number) and 99 (the firewall mark) are numbers I chose at random.

    Code:
    # Make a new routing table with a different default route
    ip route add default via 192.168.0.1 table 42
    
    # Mark packets that need special routing
    iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 99
    
    # Add a rule to use a differnt routing table for marked packets
    ip rule add fwmark 99 table 42

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •