How to route specific users/processes via OpenVPN
I've got a system containing many things; httpd server, mail server and other server software. Now, I need to set up a VPN connection, but only for one user (or more specific, 1-2 programs that that user uses). So, in short: A specific user should be routed through the VPN interface while the rest of the system is using the default gateway.
When I try to open a VPN connection it automatically create routes for the whole system and therefore affect everything else on the system as well. Does anyone know how to do this? Can it be done with Iptables? Best regards Robert Nilsson |
It might be possible to setup OpenVPN in a way that does not change the
default gateway to be addressed through the /dev/tunX device and then to setup that device as gateway interface for a/some specified networks. But this can not be done for the net traffic of specific user accounts. iptables is meant to filter/redirect/etc. packets based on attributes of those packets and their (TCP/pseudo-)connections, but user ids are not part of these. I think Your best bet is to use SSH port forwarding instead. Read up on options "-L" and "-R" in the ssh(1) man page and(or read this. An alternative might be prtunnel. I hope this helps. |
Thanks Jebram
Why I was thinking about iptables was that read something describing the '-j MARK' target. I was playing around with things like: *mangle -A OUTPUT -m owner --uid-owner [osuser] -j MARK --set-xmark 0x1 and then trying to use ip route and ip rule to have those packages routed through the VPN interface, rather than through the default gateway. I'm not sure if I'm doing this right, but it looks kind of ok, but off course it doesn't work ;) My other problem is that immediately after the VPN connection is initiated (service openvpn start), the servers default route is modified - to fit the VPN. This means that all traffic is going though the VPN. The /etc/openvpn/vpn.conf looks like this: client dev tap proto udp remote XXXXXX 1194 remote XXXXXX 1195 ... remote-random resolve-retry infinite auth-user-pass [pathtopwdfile] nobind persist-key persist-tun ca [pathtocertificate] ns-cert-type server comp-lzo reneg-sec 0 verb 3 Regards Robert |
All times are GMT -5. The time now is 12:35 AM. |