| View previous topic :: View next topic |
| Author |
Message |
lowsfer
n00b
Joined: 06 Nov 2009
Posts: 42
|
 Posted: Wed Aug 10, 2011 9:09 am Post subject: How to use vpn only for a spedific host? |
 |
|
I got a vpn tunnel from my wlan0 interface to a vpn server. The interface is tun0. After setting up tun0, all network data goes via tun0 by default.
Now I want to use tun0 only for visiting an numerical workstation "phonon", while all other network data goes via wlan0 directly. How should I do that? iptables, or routing? I'm no expert in iptables or route table.
Thanks. |
|
| Back to top |
|
 |
Yuu
Apprentice
Joined: 23 Dec 2008
Posts: 223
Location: France
|
| Posted: Wed Aug 10, 2011 9:35 am Post subject: |
|
|
Hi lowsfer,
as far as I know, OpenVPN's behavior depends on his configuration file (/etc/openvpn/<vpn-name>.conf).
If you have something like "redirect-gateway def1 bypass-dhcp" in your configuration file, it's totaly normal that the tun0 interface become the default routing interface :
| man openvpn or http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html wrote: | --redirect-gateway flags...
(Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN.
This option performs three steps:
(1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop.
(2) Delete the default gateway route.
(3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).
When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.
Option flags:
local -- Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above to be omitted.
def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
Using the def1 flag is highly recommended. |
So, you shoud just have to do something like : - remove the default route to the vpn : route del default tun0
- add the default route to your standard interface : route add default wlan0
- create a new route to the VPN with table 200 : ip route add default add <gateway of your VPN here> table 200
- phonon workstation connections should follow the VPN route : ip rule add from <your phonon workstation here> table 200
- enable masquerading on the VPN interface : iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
Maybe those lines need more modifications : I've written them without testing. Also, you could use the openvpn up/down scripts to automatically do the job. Oh, and I strongly advise you to read the openvpn's manual :]
Good luck~
_________________
Main laptop : T8300 cpu | 200 GB hard drive | 2 GB of ram | 8600M GT | Gentoo x86_64
Server : Celeron 220 cpu | 250 GB hard drive | 2 GB of ram | SiS 662 VGA | Gentoo x86_64 |
|
| Back to top |
|
|
lowsfer
n00b
Joined: 06 Nov 2009
Posts: 42
|
| Posted: Wed Aug 10, 2011 11:12 am Post subject: |
|
|
Hi Yuu,
I have been using vpnc. I will check openvpn.
Thank you very much!
| Yuu wrote: | Hi lowsfer,
as far as I know, OpenVPN's behavior depends on his configuration file (/etc/openvpn/<vpn-name>.conf).
If you have something like "redirect-gateway def1 bypass-dhcp" in your configuration file, it's totaly normal that the tun0 interface become the default routing interface :
| man openvpn or http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html wrote: | --redirect-gateway flags...
(Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN.
This option performs three steps:
(1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop.
(2) Delete the default gateway route.
(3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).
When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.
Option flags:
local -- Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above to be omitted.
def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
Using the def1 flag is highly recommended. |
So, you shoud just have to do something like : - remove the default route to the vpn : route del default tun0
- add the default route to your standard interface : route add default wlan0
- create a new route to the VPN with table 200 : ip route add default add <gateway of your VPN here> table 200
- phonon workstation connections should follow the VPN route : ip rule add from <your phonon workstation here> table 200
- enable masquerading on the VPN interface : iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
Maybe those lines need more modifications : I've written them without testing. Also, you could use the openvpn up/down scripts to automatically do the job. Oh, and I strongly advise you to read the openvpn's manual :]
Good luck~ |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
