LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page How to route specific users/processes via OpenVPN
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-18-2013, 04:02 PM   #1
nuvista175
LQ Newbie
 
Registered: Jan 2012
Posts: 7

Rep: Reputation: Disabled
How to route specific users/processes via OpenVPN

I've got a system containing many things; httpd server, mail server and other server software. Now, I need to set up a VPN connection, but only for one user (or more specific, 1-2 programs that that user uses). So, in short: A specific user should be routed through the VPN interface while the rest of the system is using the default gateway.

When I try to open a VPN connection it automatically create routes for the whole system and therefore affect everything else on the system as well.

Does anyone know how to do this? Can it be done with Iptables?

Best regards
Robert Nilsson
Last edited by nuvista175; 02-19-2013 at 02:44 PM.
 
Old 02-21-2013, 09:00 AM   #2
Jebram
LQ Newbie
 
Registered: May 2007
Location: Berlin, FRG
Distribution: Ubuntu
Posts: 22

Rep: Reputation: 4
It might be possible to setup OpenVPN in a way that does not change the
default gateway to be addressed through the /dev/tunX device and then
to setup that device as gateway interface for a/some specified networks.
But this can not be done for the net traffic of specific user accounts.
iptables is meant to filter/redirect/etc. packets based on attributes
of those packets and their (TCP/pseudo-)connections,
but user ids are not part of these.

I think Your best bet is to use SSH port forwarding instead.
Read up on options "-L" and "-R" in the ssh(1) man page and(or
read this.
An alternative might be prtunnel.

I hope this helps.
 
Old 02-22-2013, 02:30 AM   #3
nuvista175
LQ Newbie
 
Registered: Jan 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks Jebram

Why I was thinking about iptables was that read something describing the '-j MARK' target. I was playing around with things like:
*mangle
-A OUTPUT -m owner --uid-owner [osuser] -j MARK --set-xmark 0x1


and then trying to use ip route and ip rule to have those packages routed through the VPN interface, rather than through the default gateway. I'm not sure if I'm doing this right, but it looks kind of ok, but off course it doesn't work
My other problem is that immediately after the VPN connection is initiated (service openvpn start), the servers default route is modified - to fit the VPN. This means that all traffic is going though the VPN. The /etc/openvpn/vpn.conf looks like this:

client
dev tap
proto udp
remote XXXXXX 1194
remote XXXXXX 1195
...
remote-random
resolve-retry infinite
auth-user-pass [pathtopwdfile]
nobind
persist-key
persist-tun
ca [pathtocertificate]
ns-cert-type server
comp-lzo
reneg-sec 0
verb 3


Regards
Robert
 
  


Reply

Tags
openvpn, routes



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Openvpn route LeHibou2 Linux - Networking 2 02-14-2013 12:54 PM
openvpn push route priority over existing route lievendp Linux - Networking 0 06-22-2012 07:52 AM
[SOLVED] Advanced route [ route 2 specific destinatoion ] fritz001 Linux - Networking 3 01-23-2012 03:23 AM
[SOLVED] Sendmail - Accept mails to unknown users and route specific user kingkashif Linux - Server 2 07-31-2009 05:23 PM
Could not route in OpenVPN Server depam Linux - Software 0 03-23-2009 01:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:12 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration