LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How to route specific users/processes via OpenVPN (https://www.linuxquestions.org/questions/linux-networking-3/how-to-route-specific-users-processes-via-openvpn-4175450699/)

nuvista175 02-18-2013 04:02 PM
How to route specific users/processes via OpenVPN
 
I've got a system containing many things; httpd server, mail server and other server software. Now, I need to set up a VPN connection, but only for one user (or more specific, 1-2 programs that that user uses). So, in short: A specific user should be routed through the VPN interface while the rest of the system is using the default gateway.

When I try to open a VPN connection it automatically create routes for the whole system and therefore affect everything else on the system as well.

Does anyone know how to do this? Can it be done with Iptables?

Best regards
Robert Nilsson

Jebram 02-21-2013 09:00 AM
It might be possible to setup OpenVPN in a way that does not change the
default gateway to be addressed through the /dev/tunX device and then
to setup that device as gateway interface for a/some specified networks.
But this can not be done for the net traffic of specific user accounts.
iptables is meant to filter/redirect/etc. packets based on attributes
of those packets and their (TCP/pseudo-)connections,
but user ids are not part of these.

I think Your best bet is to use SSH port forwarding instead.
Read up on options "-L" and "-R" in the ssh(1) man page and(or
read this.
An alternative might be prtunnel.

I hope this helps.

nuvista175 02-22-2013 02:30 AM
Thanks Jebram

Why I was thinking about iptables was that read something describing the '-j MARK' target. I was playing around with things like:
*mangle
-A OUTPUT -m owner --uid-owner [osuser] -j MARK --set-xmark 0x1


and then trying to use ip route and ip rule to have those packages routed through the VPN interface, rather than through the default gateway. I'm not sure if I'm doing this right, but it looks kind of ok, but off course it doesn't work ;)
My other problem is that immediately after the VPN connection is initiated (service openvpn start), the servers default route is modified - to fit the VPN. This means that all traffic is going though the VPN. The /etc/openvpn/vpn.conf looks like this:

client
dev tap
proto udp
remote XXXXXX 1194
remote XXXXXX 1195
...
remote-random
resolve-retry infinite
auth-user-pass [pathtopwdfile]
nobind
persist-key
persist-tun
ca [pathtocertificate]
ns-cert-type server
comp-lzo
reneg-sec 0
verb 3


Regards
Robert


All times are GMT -5. The time now is 12:35 AM.