OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

redirect-gateway flag for port-level direct route

https://forums.openvpn.net/viewtopic.php?t=18540

Page 1 of 1

redirect-gateway flag for port-level direct route

Posted: Mon Mar 30, 2015 4:30 am
by vpn2vpn
Hi buddies,

The current openvpn implementation --redirect-gateway def1 adds a direct route to the default routing table. This means that traffic to other ports of the vpn server ip will go outside the vpn tunnel. This can be fixed with the following networky bash commands:

(this could be the up script)

VPNIP=1.2.3.4
VPNPORT=1194
DEFDEV=$(ip route show | grep "default via" | sed -n "s/.*default via [^ ]* dev \([^ ]*\).*/\1/p")
DEFIP=$(ip route show | grep "default via" | sed -n 's/.*default via \([^ ]*\).*/\1/p')
sudo ip route add default via "$DEFIP" table 3
sudo ip rule add fwmark 2 table 3
sudo iptables --table mangle --append OUTPUT --protocol udp --destination "$VPNIP" --destination-port "$VPNPORT" --jump MARK --set-mark 2
sudo iptables --table nat --append POSTROUTING --match mark --mark 2 --jump MASQUERADE
sudo sysctl -w "net.ipv4.conf.${DEFDEV}.rp_filter=2"
sudo ip route del "$VPNIP" via "$DEFIP" dev "$DEFDEV"

Could there be a flag that kind of does this or some other simplification, please?

Re: redirect-gateway flag for port-level direct route

Posted: Sun Jun 14, 2015 11:11 pm
by vpn2vpn
And of course, this port-level routing doesn't work on Android. Crap.

Re: redirect-gateway flag for port-level direct route

Posted: Mon Jun 15, 2015 10:41 am
by Traffic
While I understand your request it is very unlikely to be implemented.

OpenVPN would have to filter packets and select only the port in use for the VPN and forward those packets to the VPN server, while selecting for example HTTP packets addressed to the same server IP and forward those over the VPN.

It would also have to work across the entire client operating system spectrum ..

That is a lot of code for a very tiny minority of users who, essentially, don't setup their network suitably.

The simple/correct answer is to run only your VPN server on the public IP address of your VPN server and other services on a different IP.

Re: redirect-gateway flag for port-level direct route

Posted: Fri Jun 19, 2015 7:55 am
by vpn2vpn
I see.

It didn't work on Android, because starting tun and connecting is an indivisible operation. By the time you get to do SNAT, the client port is already connected so SNAT gives you a new port which confuses the OpenVPN server that keeps responding to the original client port. fail.

It can be fixed in an even simpler way, though, by instead leaving the direct route in place and SNAT direct-route packets using the same method into the vpn tunnel if the packet is for the vpn server and not udp, or the packet is for the vpn server and udp for another port. That works swimmingly and the sysctl is no longer required.

ip addresses cost money and hosters are often unwilling to give them to you. I got it running on every OS I use.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/