Hi buddies,
The current openvpn implementation --redirect-gateway def1 adds a direct route to the default routing table. This means that traffic to other ports of the vpn server ip will go outside the vpn tunnel. This can be fixed with the following networky bash commands:
(this could be the up script)
VPNIP=1.2.3.4
VPNPORT=1194
DEFDEV=$(ip route show | grep "default via" | sed -n "s/.*default via [^ ]* dev \([^ ]*\).*/\1/p")
DEFIP=$(ip route show | grep "default via" | sed -n 's/.*default via \([^ ]*\).*/\1/p')
sudo ip route add default via "$DEFIP" table 3
sudo ip rule add fwmark 2 table 3
sudo iptables --table mangle --append OUTPUT --protocol udp --destination "$VPNIP" --destination-port "$VPNPORT" --jump MARK --set-mark 2
sudo iptables --table nat --append POSTROUTING --match mark --mark 2 --jump MASQUERADE
sudo sysctl -w "net.ipv4.conf.${DEFDEV}.rp_filter=2"
sudo ip route del "$VPNIP" via "$DEFIP" dev "$DEFDEV"
Could there be a flag that kind of does this or some other simplification, please?
redirect-gateway flag for port-level direct route
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVPN User
- Posts: 22
- Joined: Sat Mar 21, 2015 9:55 pm
-
- OpenVPN User
- Posts: 22
- Joined: Sat Mar 21, 2015 9:55 pm
Re: redirect-gateway flag for port-level direct route
And of course, this port-level routing doesn't work on Android. Crap.
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: redirect-gateway flag for port-level direct route
While I understand your request it is very unlikely to be implemented.
OpenVPN would have to filter packets and select only the port in use for the VPN and forward those packets to the VPN server, while selecting for example HTTP packets addressed to the same server IP and forward those over the VPN.
It would also have to work across the entire client operating system spectrum ..
That is a lot of code for a very tiny minority of users who, essentially, don't setup their network suitably.
The simple/correct answer is to run only your VPN server on the public IP address of your VPN server and other services on a different IP.
OpenVPN would have to filter packets and select only the port in use for the VPN and forward those packets to the VPN server, while selecting for example HTTP packets addressed to the same server IP and forward those over the VPN.
It would also have to work across the entire client operating system spectrum ..
That is a lot of code for a very tiny minority of users who, essentially, don't setup their network suitably.
The simple/correct answer is to run only your VPN server on the public IP address of your VPN server and other services on a different IP.
-
- OpenVPN User
- Posts: 22
- Joined: Sat Mar 21, 2015 9:55 pm
Re: redirect-gateway flag for port-level direct route
I see.
It didn't work on Android, because starting tun and connecting is an indivisible operation. By the time you get to do SNAT, the client port is already connected so SNAT gives you a new port which confuses the OpenVPN server that keeps responding to the original client port. fail.
It can be fixed in an even simpler way, though, by instead leaving the direct route in place and SNAT direct-route packets using the same method into the vpn tunnel if the packet is for the vpn server and not udp, or the packet is for the vpn server and udp for another port. That works swimmingly and the sysctl is no longer required.
ip addresses cost money and hosters are often unwilling to give them to you. I got it running on every OS I use.
It didn't work on Android, because starting tun and connecting is an indivisible operation. By the time you get to do SNAT, the client port is already connected so SNAT gives you a new port which confuses the OpenVPN server that keeps responding to the original client port. fail.
It can be fixed in an even simpler way, though, by instead leaving the direct route in place and SNAT direct-route packets using the same method into the vpn tunnel if the packet is for the vpn server and not udp, or the packet is for the vpn server and udp for another port. That works swimmingly and the sysctl is no longer required.
ip addresses cost money and hosters are often unwilling to give them to you. I got it running on every OS I use.