Routing specific users through specific interfaces.

metaf5 · 12-22-2013, 11:53 PM

Hi,
I've got 2 interfaces, enp1s0 and tun0, and I've got 2 users, user1 and user2. enp1s0 is connected to my LAN, and tun0 is for openvpn.
What I'd like to do is force all network traffic from user1 to go through enp1s0, and all network traffic from user2 to go through tun0. I don't want to have to hardcode any IPs so I can use a similar configuration on my laptop, and because I don't always have the same VPN gateway/IP.
I don't know a lot about networking, or iptables/ip-rules, so what I've tried so far is probably very misguided/embarrassing, but I'll paste it below:

Code:

iptables -A POSTROUTING -t mangle -m owner --uid-owner user1 -j MARK --set-mark 1
iptables -A POSTROUTING -t mangle -m owner --uid-owner user2 -j MARK --set-mark 2
echo 201 1.out >> /etc/iproute2/rt_tables
echo 202 2.out >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table 1.out
ip rule add fwmark 2 table 2.out
ip route add default dev enp1s0 table 1.out
ip route add default dev tun0 table 2.out

I kind of get the gist of what's allegedly supposed to happen here, but I have very little deeper understanding of why this doesn't seem to work. I have suspicions that it's because of the other things that need to be in routing tables, like what openvpn automatically adds:

Code:

Sun Dec 22 23:19:35 2013 /usr/bin/ip link set dev tun0 up mtu 1500
Sun Dec 22 23:19:35 2013 /usr/bin/ip addr add dev tun0 local 10.16.0.42 peer 10.16.0.41
Sun Dec 22 23:19:37 2013 /usr/bin/ip route add xx.xx.xx.xx/32 via 192.168.2.1
Sun Dec 22 23:19:37 2013 /usr/bin/ip route add 0.0.0.0/1 via 10.16.0.41
Sun Dec 22 23:19:37 2013 /usr/bin/ip route add 128.0.0.0/1 via 10.16.0.41
Sun Dec 22 23:19:37 2013 /usr/bin/ip route add 10.16.0.1/32 via 10.16.0.41

In that code, my LAN is 192.168.2.0/24 and the VPN gives me 10.16.0.42, with gateway 10.16.0.41, if I understand what the VPN's doing correctly.
I'd really appreciate any guidance you guys have to offer, even if you just point me at some documentation that might be a little easier to understand for a novice than what I've found so far.

hussam.dh · 12-23-2013, 08:21 AM

Are user1 and user2 are openvpn users?
I mean do they login using vpn?
If yes then all their traffic will go through the tun0 and it is not possible for user1 to avoid sending his traffic through tun0.
Go to openvpn official website there is a good how-to there.

metaf5 · 12-23-2013, 09:16 AM

No, I'm talking about 2 local users on a desktop.
With no firewall settings, they can both get to the internet without the VPN (Only when it's not turned on), and with the VPN.