New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Use OpenVPN only with selected programs
Hello,
I would like to connect to an OpenVPN server with Debian 7 being the client and NOT route all traffic through it automatically. Then I would like to bind individual programs to the VPN network adapter (bind to IP of tun?).
Is that possible? I have been looking, but couldn't find any how-to. I also do not really know anything about iptables/network/etc, so I would really appreciate some help.
Thanks.
Comments
It sounds like what you want is similar to what's generally referred to as a site-to-site VPN. You might want to do some Googleing around for some openvpn howto's to get that going with openvpn. Do you control the other side of the connection? If so, you may want to give tinc a look, I find it easier to do server-to-server tunneling using it. http://tinc-vpn.org/
It certainly is possible. And there is more than one way.
have a look at:
http://blog.famzah.net/2014/06/05/private-networking-per-process-in-linux/ (namespace)
http://www.evolware.org/?p=293 (namespace)
http://www.evolware.org/?p=369 (cgroup)
http://blog.sebastien.raveau.name/2009/04/per-process-routing.html (user-based)
Running Debian 7 your best bet is probably using namespaces.
If you need any help please let me know.
Thanks for your replies. I do not have access to the VPN server. The user-based approach seems sufficient, but I need some further understanding first, it seems.
First I connect with "openvpn /path/to/client.ovpn". I prevent it from setting a default route with "route-noexec" in the .ovpn file. (otherwise I would not be able to access my server via SSH anymore)
OpenVPN output without route-noexec
Tue Dec 30 08:01:43 2014 us=614104 /sbin/ifconfig tun0 10.129.130.186 pointopoint 10.129.130.185 mtu 1500 Tue Dec 30 08:01:48 2014 us=823684 /sbin/route add -net 95.141.28.118 netmask 255.255.255.255 gw 195.154.110.1 Tue Dec 30 08:01:48 2014 us=826099 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.129.130.185 Tue Dec 30 08:01:48 2014 us=828311 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.129.130.185 Tue Dec 30 08:01:48 2014 us=830713 /sbin/route add -net 10.129.0.1 netmask 255.255.255.255 gw 10.129.130.185
(95.141.28.118 is the external VPN IP)
OpenVPN output with route-noexec
Tue Dec 30 08:16:30 2014 us=133179 /sbin/ifconfig tun0 10.129.130.186 pointopoint 10.129.130.185 mtu 1500
I then followed the instructions from http://blog.sebastien.raveau.name/2009/04/per-process-routing.html , but it looks like I did something wrong - the user "wifi" is not able to access the internet.
adduser wifi iptables -t mangle -A OUTPUT -m owner --uid-owner wifi -j MARK --set-mark 42 iptables -t nat -A POSTROUTING -o tun0 -m mark --mark 42 -j SNAT --to-source 10.129.130.186 ip rule add fwmark 42 table 42
Is everything correct so far? If yes, then I am stuck at the route:
ip route add default via 10.0.0.1 dev ath0 table 42
No clue what route(s) to add.
@dabtech @zxb
Thanks.
Seems correct, can't spot any errors.
I think you need to add a default route:
ip route add default via 10.129.130.185 table 42
From the comment of the article it seems you need to disable reverse path filtering as well:
sysctl net.ipv4.conf.ath0.rp_filter=0
Try if you can get it working.
I got it working, thanks!
ip route add default via *IPHERE* dev tun0 table 42 sysctl net.ipv4.conf.tun0.rp_filter=0
Then I still could not connect to google.com until I figured out that I had to change the default DNS servers.
Now wget icanhazip.com gives me a file with the IPv4 of the VPN in it.
I did this on a dedicated server. Now I would like to try it in an OpenVZ container that I created with Proxmox, but I receive the following error message for the iptables rules:
iptables: No chain/target/match by that name.
I assume this has to do with /etc/vz/vz.conf ? I have the following iptables modules enabled:
IPTABLES="iptable_nat ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"
Do I need any other modules?
I'm not at all famaliar with OpenVZ.
From the official man page http://openvz.org/Man/vzctl.8#Netfilter_.28iptables.29_control_parameters , here's the full list of modules:
iptable_filter, iptable_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS, ipt_REJECT, ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG, ipt_length, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, ipt_conntrack, ipt_state, ipt_helper, iptable_nat, ip_nat_ftp, ip_nat_irc, ipt_REDIRECT, xt_mac, ipt_recent, ipt_owner
OpenVZ versions might differ, so look it up in your man page as well.
I guess it needs ipt_state, ipt_conntrack and ipt_owner. ipt_mark seems needed but not VZ-ed but I'm not sure. If it's your own container, you might as well enable all of them and see if it works. If it does, you can try to remove them one at a time until it shows error, and then you'd know which one is needed. If it doesn't work then perhaps you're out of luck, and need to try a different method.
I got it to work with the modules you named. However, torrent upload speed was very slow. I tried to fix it, which did not work, so I reset everything to the way it was and now transmission (torrent client) cannot connect to trackers (download via DHT/peer exchange still works). It just does not want to work anymore, even though I reinstalled the VPS and wrote down in detail how I had it set up before.
I found something else that might be easier:
Looks like openvpn can route traffic from a certain IP address, so I added a new IP address with:
ip addr add 192.168.1.1 dev venet0:0
And then added to the .ovpn config file:
route-nopull
route 192.168.1.1 255.255.255.255
But after connecting to the VPN and launching the torrent client (bound to IP 192.168.1.1), no connections are established. I know nothing about networking, so I am not even sure if that could work. If yes, what am I missing?
Thanks.
@zxb
What you set up would not work.
When you write:
route 192.168.1.1 255.255.255.255
The effect is to route traffic with a destination of 192.168.1.1 via VPN, while your intention is to route traffic with a source of 192.168.1.1
To do that you should do:
ip rule add from 192.168.1.1/32 table 55
ip route add default via (vpn gateway ip) table 55
And there's another problem: because 192.168.1.1 is not known to the server, it will not get routed back to you. If you have access to the VPN server, you can add a route back. But you don't so you'll probably have to do NAT again after you route. But that is pretty much insane.
Try to get the previous method to work; or try using namespaces. In openvz where iptables function may be limited you won't get very far mangling packets.
Thanks. There are just 2 problems with namespaces:
I don't understand any of it
I don't know if the upload speed will be bad as well.
I just tried this https://snikt.net/blog/2013/10/10/how-to-force-program-to-use-vpn-tunnel/ and it "works" as in it can connect to trackers and to peers, but it does not seem to connect to peers reported by the tracker once again. And the torrent upload speed is very slow. A test download with wget is fast (several MB/s).
The torrent upload speed on my laptop, connected to the same VPN, is normal. Could it be because I use Proxmox/OpenVZ?
wouldn't it be better to SSH tunnel and socks5 proxy if its per app
Don't have a SSH tunnel and Transmission only connects to the tracker through a proxy I think (p2p connections are direct).