Traffic tunneling on a Linux client

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
zaf-lopzeuy984124
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 02, 2021 7:13 am

Traffic tunneling on a Linux client

Post by zaf-lopzeuy984124 » Wed Jun 02, 2021 7:53 am

Dear all,

The issue

My client machine is connected to an openvpn server.
All the traffic is sent through the VPN and everything works fine.

I started to run a couple of software on some dockers recently, and I would like the traffic of all the dockers not to be directed via the VPN.

Here are my routes when the VPN is turned off :

Code: Select all

Destination     Gateway      Genmask         Indic Metric Ref    Use Iface
default         192.168.10.1   0.0.0.0         UG    100    0        0 enp2s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp2s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp2s0


Here are my routes when the client is connected to the VPN :

Code: Select all

Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    50     0        0 tun0
default         _gateway        0.0.0.0         UG    100    0        0 enp2s0
10.8.0.0        0.0.0.0         255.255.255.0   U     50     0        0 tun0
vps-2224a3f4.vp _gateway        255.255.255.255 UGH   100    0        0 enp2s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp2s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp2s0
_gateway        0.0.0.0         255.255.255.255 UH    100    0        0 enp2s0

vps-2224a3f4.vp is the hostname of the OpenVPN server.

Basically, I'd like to route everything except 172.17.0.0 to the VPN.

I tried to add these lines in my client.ovpn but it didn't work :

Code: Select all

pull-filter ignore "redirect-gateway"
route 192.168.10.0 255.255.255.0 route_vpn_gateway
route 172.17.0.0 255.255.0.0 route_net_gateway
Thanks very much for you kind help.


Informations

OpenVPN server : OpenVPN 2.4.7 x86_64-pc-linux-gnu
OpenVPN client : OpenVPN 2.4.7 x86_64-pc-linux-gnu


Here is the client conf.ovpn :

Code: Select all

client
proto udp
remote public_IP 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_b2YrpwwxLm837xGC name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
pull-filter ignore "redirect-gateway"
route 192.168.10.0 255.255.255.0 route_vpn_gateway
route 172.17.0.0 255.255.0.0 route_net_gateway
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MII........0V
WYHUBAB9cyCdNSNbkGCXHxRBy2hJ
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII.....4g==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
M.....Gg
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
0c66533.........b008
-----END OpenVPN Static key V1-----
</tls-crypt>

Here is my server conf :

Code: Select all

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 5 20
reneg-sec 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 213.186.33.99"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_b2YrpwwxLm837xGC.crt
key server_b2YrpwwxLm837xGC.key 
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Traffic tunneling on a Linux client

Post by TinCanTech » Wed Jun 02, 2021 9:50 am

zaf-lopzeuy984124 wrote:
Wed Jun 02, 2021 7:53 am
I'd like to route everything except 172.17.0.0 to the VPN
zaf-lopzeuy984124 wrote:
Wed Jun 02, 2021 7:53 am

Code: Select all

# pull-filter ignore "redirect-gateway" # You need to use redirect-gateway
# route 192.168.10.0 255.255.255.0 route_vpn_gateway # You don't need this
# route 172.17.0.0 255.255.0.0 route_net_gateway # This is incorrect
route 172.17.0.0 255.255.0.0 net_gateway

zaf-lopzeuy984124
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 02, 2021 7:13 am

Re: Traffic tunneling on a Linux client

Post by zaf-lopzeuy984124 » Wed Jun 02, 2021 10:45 am

Hi,

Thanks a lot for your kind asnwer.

As you advised, I commented the unnecessary lines and added the required one to my client.ovpn, so it looks like :

Code: Select all

#pull-filter ignore "redirect-gateway"
#route 192.168.10.0 255.255.255.0 route_vpn_gateway
#route 172.17.0.0 255.255.0.0 route_net_gateway
route 172.17.0.0 255.255.0.0 net_gateway
But i don't think it works, because this is how the routes look when connected to the VPN with this config :

Code: Select all

Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    50     0        0 tun0
default         _gateway        0.0.0.0         UG    100    0        0 enp2s0
10.8.0.0        0.0.0.0         255.255.255.0   U     50     0        0 tun0
my.domain.com    _gateway        255.255.255.255 UGH   100    0        0 enp2s0
vps-2224a3f4.vp _gateway        255.255.255.255 UGH   100    0        0 enp2s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp2s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
[b]172.17.0.0      _gateway        255.255.0.0     UG    50     0        0 tun0[/b]
192.168.10.0    _gateway        255.255.255.0   UG    50     0        0 tun0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp2s0
_gateway        0.0.0.0         255.255.255.255 UH    50     0        0 tun0
_gateway        0.0.0.0         255.255.255.255 UH    100    0        0 enp2s0
It looks like the 172.17.0.0 is still routed to the VPN netwok, I am wrong ?

Thanks again for your help
Best

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Traffic tunneling on a Linux client

Post by TinCanTech » Wed Jun 02, 2021 1:50 pm

zaf-lopzeuy984124 wrote:
Wed Jun 02, 2021 10:45 am

Code: Select all

172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.17.0.0      _gateway        255.255.0.0     UG    50     0        0 tun0
You have two routes for the same subnet ...

I am only telling you what you need in your openvpn config file in order to tell openvpn what you want.

I am not debugging your network for, that is your job. Try rebooting ..

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Traffic tunneling on a Linux client

Post by 300000 » Thu Jun 03, 2021 10:04 am

If you only want route 172.17.0.0 over vpn and the other go to local gateway just remove pull filter and two route you add and only adding this into your client config .



route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
route 172.17.0 .0 255.255.0.0 vpn_gateway


All this route will do what you want and don't need to use pull filter . After edit openvpn connect it again . It should works without restart system.

Post Reply