Possible to route only certain traffic through vpn?

[Zxurian]

I've got a working openvpn install running on Ubuntu, single nic.

if I start the service, then it connects fine and all traffic goes through the vpn
if i stop it, then all traffic goes out normally.

What i'd like to do is just route torrent traffic over the vpn. Is this possible? I've googled, but the only soulutions i can find involve multiple nic's.

Is it possible to have openvpn running, but have default traffic go out through the normal gateway, and only certain traffic go over the vpn?

[maikcat]

openvpn can direct traffic using ip-based setup not port-based...

you need another "tool" capable of doing such things (f.e iptables) on your client..

Michael.

[Zxurian]

okay, so using iptables, it should be possible to have all traffic route through the default gateway, and only certain traffic (based on the iptables rules) pass over the vpn gateway?

is there a setting within openvpn that I have to configure so that it doesn't automatically redirect all traffic over the vpn? I ask because when I am connected to a vpn, my iptables aren't modified, but I am still sending all traffic over the vpn.

[maikcat]

iptables must be configured on your CLIENT side and its not openvpn's job to do so,

although you can call a script inside openvpn doing just that...

tip, policy based routing is what you are looking for..

Michael.

[Zxurian]

right, I understand that iptables would have to be configured locally for traffic routing.

What I'm referring to is that when I start the openvpn service on my box, without me doing anything else, all traffic on the box is now routed over the vpn connection, but no changes have been made to the iptables.

So in order to have the vpn connect, but not actually tell the system to send any traffic over it by default, is there a setting I need to have within the vpn config file that I'm using? or is there a config setting within openvpn itself I need to change?

[Zxurian]

The following is my Vpn config

Code: Select all

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Sunday 11th of May 2014 09:31:35 PM
# OpenVPN Client Configuration
# AirVPN_America_UDP-443
# --------------------------------------------------------

client
dev tun
proto udp
remote america.airvpn.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5
ca "/home/xbmc/.config/openvpn/ca.crt"
cert "/home/xbmc/.config/openvpn/user.crt"
key "/home/xbmc/.config/openvpn/user.key"
tls-auth "/home/xbmc/.config/openvpn/ta.key" 1
up "/home/xbmc/.config/openvpn/up.sh"
down "/home/xbmc/.config/openvpn/down.sh"

if you can tell me where to find the server config, I will gladly post

[tyreex]

You don't have access to because the server do not belong to you.

Anyway, someone have a way to route only on certain ports please ? :/

[Zxurian]

so i've continued hunting, and I'm fairly certain I need to use the route-noexec directive, which passes the server pushed routes to the up script via environment variables.

Through logging, I know that the following routs are pushed by the server

Code: Select all

May 19 22:14:23 xbmc ovpn-airvpn[11907]: /home/xbmc/.config/openvpn/up.sh tun0 1500 1558 10.4.23.178 10.4.23.177 i
May 19 22:14:24 xbmc ovpn-airvpn[11907]: /sbin/ip route add 184.75.221.2/32 via 192.168.199.1
May 19 22:14:24 xbmc ovpn-airvpn[11907]: /sbin/ip route add 0.0.0.0/1 via 10.4.23.177
May 19 22:14:24 xbmc ovpn-airvpn[11907]: /sbin/ip route add 128.0.0.0/1 via 10.4.23.177
May 19 22:14:24 xbmc ovpn-airvpn[11907]: /sbin/ip route add 10.4.0.1/32 via 10.4.23.177
May 19 22:14:24 xbmc ovpn-airvpn[11907]: Initialization Sequence Completed
May 19 22:14:41 xbmc kernel: [187039.414311] ip_tables: (C) 2000-2006 Netfilter Core Team
May 19 22:17:01 xbmc CRON[11958]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
May 19 22:21:26 xbmc ovpn-airvpn[11907]: event_wait : Interrupted system call (code=4)
May 19 22:21:26 xbmc ovpn-airvpn[11907]: SIGTERM received, sending exit notification to peer
May 19 22:21:31 xbmc ovpn-airvpn[11907]: /sbin/ip route del 10.4.0.1/32
May 19 22:21:31 xbmc ovpn-airvpn[11907]: /sbin/ip route del 184.75.221.2/32
May 19 22:21:31 xbmc ovpn-airvpn[11907]: /sbin/ip route del 0.0.0.0/1
May 19 22:21:31 xbmc ovpn-airvpn[11907]: /sbin/ip route del 128.0.0.0/1
May 19 22:21:31 xbmc ovpn-airvpn[11907]: Closing TUN/TAP interface
May 19 22:21:31 xbmc ovpn-airvpn[11907]: /sbin/ip addr del dev tun0 local 10.4.23.178 peer 10.4.23.177
May 18 09:06:50 xbmc avahi-daemon[715]: message repeated 2 times: [ Invalid legacy unicast query packet.]
May 19 22:21:31 xbmc avahi-daemon[715]: Withdrawing workstation service for tun0.
May 19 22:21:31 xbmc NetworkManager[839]:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
May 19 22:21:31 xbmc ovpn-airvpn[11907]: /home/xbmc/.config/openvpn/down.sh tun0 1500 1558 10.4.23.178 10.4.23.177 init

and I know that with route-noexec I have to specify them manually based on what is passed to the up.sh script.

My question is, what routes do I have add so that only certain traffic (either adapter based or port based) are sent over the vpn connection?

[tyreex]

You have to use iptables:

iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --match multiport ! --dports 80,22 -j DNAT --to-destination 10.20.0.1

80, 22 is the whitelist ports to allow ssh access and http access. This rule mean if the trafic in eth0 don't come from the port 80 or 22, it forward the traffic to the destination gateway (10.20.0.1 is my tun0)

BUT it looks like it is working 1/2 times and I don't know how to get this working. Also, when it work it check the incoming or outgoing traffic and I just want the incoming. :/

Can someone help us please ? Thanks.