redirect-gateway flag for port-level direct route

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
vpn2vpn
OpenVPN User
Posts: 22
Joined: Sat Mar 21, 2015 9:55 pm

redirect-gateway flag for port-level direct route

Post by vpn2vpn » Mon Mar 30, 2015 4:30 am

Hi buddies,

The current openvpn implementation --redirect-gateway def1 adds a direct route to the default routing table. This means that traffic to other ports of the vpn server ip will go outside the vpn tunnel. This can be fixed with the following networky bash commands:

(this could be the up script)

VPNIP=1.2.3.4
VPNPORT=1194
DEFDEV=$(ip route show | grep "default via" | sed -n "s/.*default via [^ ]* dev \([^ ]*\).*/\1/p")
DEFIP=$(ip route show | grep "default via" | sed -n 's/.*default via \([^ ]*\).*/\1/p')
sudo ip route add default via "$DEFIP" table 3
sudo ip rule add fwmark 2 table 3
sudo iptables --table mangle --append OUTPUT --protocol udp --destination "$VPNIP" --destination-port "$VPNPORT" --jump MARK --set-mark 2
sudo iptables --table nat --append POSTROUTING --match mark --mark 2 --jump MASQUERADE
sudo sysctl -w "net.ipv4.conf.${DEFDEV}.rp_filter=2"
sudo ip route del "$VPNIP" via "$DEFIP" dev "$DEFDEV"

Could there be a flag that kind of does this or some other simplification, please?

vpn2vpn
OpenVPN User
Posts: 22
Joined: Sat Mar 21, 2015 9:55 pm

Re: redirect-gateway flag for port-level direct route

Post by vpn2vpn » Sun Jun 14, 2015 11:11 pm

And of course, this port-level routing doesn't work on Android. Crap.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: redirect-gateway flag for port-level direct route

Post by Traffic » Mon Jun 15, 2015 10:41 am

While I understand your request it is very unlikely to be implemented.

OpenVPN would have to filter packets and select only the port in use for the VPN and forward those packets to the VPN server, while selecting for example HTTP packets addressed to the same server IP and forward those over the VPN.

It would also have to work across the entire client operating system spectrum ..

That is a lot of code for a very tiny minority of users who, essentially, don't setup their network suitably.

The simple/correct answer is to run only your VPN server on the public IP address of your VPN server and other services on a different IP.

vpn2vpn
OpenVPN User
Posts: 22
Joined: Sat Mar 21, 2015 9:55 pm

Re: redirect-gateway flag for port-level direct route

Post by vpn2vpn » Fri Jun 19, 2015 7:55 am

I see.

It didn't work on Android, because starting tun and connecting is an indivisible operation. By the time you get to do SNAT, the client port is already connected so SNAT gives you a new port which confuses the OpenVPN server that keeps responding to the original client port. fail.

It can be fixed in an even simpler way, though, by instead leaving the direct route in place and SNAT direct-route packets using the same method into the vpn tunnel if the packet is for the vpn server and not udp, or the packet is for the vpn server and udp for another port. That works swimmingly and the sysctl is no longer required.

ip addresses cost money and hosters are often unwilling to give them to you. I got it running on every OS I use.

Post Reply