LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   using OpenVPN for specific application(s) (https://www.linuxquestions.org/questions/linux-networking-3/using-openvpn-for-specific-application-s-736250/)

amaj1407 06-28-2009 03:19 PM
using OpenVPN for specific application(s)
 
Hello everyone,

I am subscribed to unblockvpn.com service and I am using their openvpn but I need to know if I can use this service to be applied to certain application not to the whole internet traffic. Can I?

I hope my question is clear.

Thank you.

osor 06-28-2009 03:29 PM
You might be able to accomplish this with policy-based routing and split tunneling.

amaj1407 06-29-2009 08:11 AM
Thank you osor, I googled "policy-based routing" and got some tutorials but I didn't understand what to do with them and it seems to be dangerous I am afraid that if used them I'll corrupt my current internet connectivity. So if you can help me by guiding me through the right commands to apply I'll be thankful.

If I played with those tutorials can I get back my previous configuration? How?

I appreciate your concern.

osor 06-29-2009 07:31 PM
Quote:
Originally Posted by amaj1407 (Post 3589996)
If I played with those tutorials can I get back my previous configuration?
It depends on the tutorial. You should probably test out non-permanent commands. That way, it all else fails, you can simply reboot and have a pristine routing table.

In terms of specifics steps to take, it isn’t as hard as it sounds. Normally, with openvpn, you use the config option redirect-gateway so that the helper scripts will write the default route to be tun0 (i.e., all traffic routed through the tunnel). Instead, you want selective packets going through.

This is roughly what you would do:
  1. Get rid of that option.
  2. Start openvpn. You should not be able to access anything through the tunnel.
  3. Create a separate routing table called “openvpn” with the commands
    Code:
    echo "100        openvpn" >> /etc/iproute2/rt_tables
    For this step, make sure that the number 100 isn’t already taken. Also, this step (unlike the others I describe) is permanent. It should not, however, change what a routing table looks like after reboot (unless you already have some conflicting policy routes).
  4. Add the default route to openvpn. This depends on how your openvpn server is configured. Here’s a guess (replace 123.123.123.123)
    Code:
    ip route add default via 123.123.123.123 dev tun0 table openvpn
  5. Add a fwmark policy to the route
    Code:
    ip rule add fwmark 42 table openvpn
    The number 42 is also just chosen to be unique. Hopefully you don’t already have any fwmark-based rules.
  6. Use iptables to filter some packets and mark them. This is the most subjective part. Basically, you will need some way to match those packets you want tunneled. For example, you might create a user named tunnel_me. Then, use a rule like the following:
    Code:
    iptables -t mangle -A OUTPUT -m owner --uid-owner tunnel_me -j MARK --set-mark 42
    and any program that tunnel_me runs will have tunneling applied.
  7. See if it works. If so, automate it so it works all the time.

amaj1407 07-02-2009 11:56 AM
osor I am truly sorry I could not reply because I faced some issues with my laptop but here what I tried after I connected to the service with commenting out "redirect-gateway" from the file I got from unblockVPN.com:

The Steps I did:
Code:
echo "100      openvpn" >> /etc/iproute2/rt_tables
ip route add default via 77.78.108.129 dev tap0 openvpn
ip rule add fwmark 42 table openvpn
iptables -t mangle -A OUTPUT -m owner --uid-owner tunnel_me -j
MARK --set-mark 42
But it seems to have no effects, so I appended the file I got from their website:

file: unblockvpn.ovpn
Code:
proto tcp-client

remote eu.finevpn.com 443 # non-stadard port for OpenVPN, you can also use port 443 if it is better for you
dev tap

nobind
persist-key

tls-client
ca unblockvpn-ca.pem # Root certificate in the same directory as this configuration file.
ns-cert-type server


verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass

#redirect all traffic through openVPN tunnel
redirect-gateway

#if connection is terminated, it will attempt to connect without promting username and pass
auth-retry nointeract
output of openvpn with the configuration taken from unblockvpn.ovpn
Code:
Thu Jul  2 18:12:38 2009 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Jul  2 18:12:38 2009 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Thu Jul  2 18:12:38 2009 Local Options hash (VER=V4): 'b60e7885'
Thu Jul  2 18:12:38 2009 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Thu Jul  2 18:12:38 2009 Attempting to establish TCP connection with 81.0.217.77:443
Thu Jul  2 18:12:42 2009 TCP connection established with 81.0.217.77:443
Thu Jul  2 18:12:42 2009 TCPv4_CLIENT link local: [undef]
Thu Jul  2 18:12:42 2009 TCPv4_CLIENT link remote: 81.0.217.77:443
Thu Jul  2 18:12:42 2009 TLS: Initial packet from 81.0.217.77:443, sid=525d754d e12311ee
Thu Jul  2 18:12:43 2009 VERIFY OK: depth=1, /C=CZ/O=UnblockVPN.com/CN=UnblockVPN.com
Thu Jul  2 18:12:43 2009 VERIFY OK: nsCertType=SERVER
Thu Jul  2 18:12:43 2009 VERIFY OK: depth=0, /C=CZ/O=UnblockVPN.com/CN=eu.unblockvpn.com/emailAddress=info@unblockvpn.com
Thu Jul  2 18:12:44 2009 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jul  2 18:12:44 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul  2 18:12:44 2009 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jul  2 18:12:44 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul  2 18:12:44 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jul  2 18:12:44 2009 [eu.unblockvpn.com] Peer Connection Initiated with 81.0.217.77:443
Thu Jul  2 18:12:45 2009 SENT CONTROL [eu.unblockvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Jul  2 18:12:45 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 77.78.108.129,ifconfig 77.78.108.254 255.255.255.128'
Thu Jul  2 18:12:45 2009 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul  2 18:12:45 2009 OPTIONS IMPORT: route options modified
Thu Jul  2 18:12:45 2009 TUN/TAP device tap0 opened
Thu Jul  2 18:12:45 2009 /sbin/ifconfig tap0 77.78.108.254 netmask 255.255.255.128 mtu 1500 broadcast 77.78.108.255
Thu Jul  2 18:12:45 2009 /sbin/route add -net 81.0.217.77 netmask 255.255.255.255 gw 192.168.100.1
Thu Jul  2 18:12:45 2009 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Thu Jul  2 18:12:45 2009 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 77.78.108.129
Thu Jul  2 18:12:45 2009 Initialization Sequence Completed
I forgot to mention that the user tunnel_me is already created.
So please guide me to figure out what I missed.

Thank you again.

amaj1407 07-03-2009 05:10 AM
please can any one help me?

osor 07-03-2009 06:06 PM
Quote:
Originally Posted by amaj1407 (Post 3594499)
But it seems to have no effects
You have to be more specific. Do you mean that all the traffic is flowing through the tunnel? Or none of it? You also have to some information about routing tables before and after running. For example, what does your pristine routing table look like (before running openvpn or executing any of those commands I told you about). It would be the output of “ip route” (although the route command also works).
Quote:
Originally Posted by amaj1407 (Post 3594499)
file: unblockvpn.ovpn
Code:
ip route add default via 77.78.108.129 dev tap0 openvpn
You seem to have forgotten the “table” specifier.
Quote:
Originally Posted by amaj1407 (Post 3594499)
file: unblockvpn.ovpn
Code:
dev tap
In my experience, tap devices have been hard to firewall. You would be better off setting this to tun.
Quote:
Originally Posted by amaj1407 (Post 3594499)
file: unblockvpn.ovpn
Code:
redirect-gateway
This has not been commented out as you described.
Quote:
Originally Posted by amaj1407 (Post 3594499)
output of openvpn with the configuration taken from unblockvpn.ovpn
Code:
Thu Jul  2 18:12:45 2009 SENT CONTROL [eu.unblockvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Jul  2 18:12:45 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 77.78.108.129,ifconfig 77.78.108.254 255.255.255.128'
Thu Jul  2 18:12:45 2009 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul  2 18:12:45 2009 OPTIONS IMPORT: route options modified
Thu Jul  2 18:12:45 2009 TUN/TAP device tap0 opened
Thu Jul  2 18:12:45 2009 /sbin/ifconfig tap0 77.78.108.254 netmask 255.255.255.128 mtu 1500 broadcast 77.78.108.255
Thu Jul  2 18:12:45 2009 /sbin/route add -net 81.0.217.77 netmask 255.255.255.255 gw 192.168.100.1
Thu Jul  2 18:12:45 2009 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Thu Jul  2 18:12:45 2009 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 77.78.108.129
It seems you have been given the tunnel address 77.78.108.254/25 with the default route 77.78.108.129. This is added to the main routing table, so I expect that all traffic is going through the tunnel. You will either need to stop/modify the openvpn scripts from doing this (if commenting out the default route didn’t work) or write some sort of a wrapper script which saves and restores the default route. This would also be handy if the new gateway address always changes (so you can relocate step 4 to this script). Code for the script might look something like:
Code:
#!/bin/sh

save=$(ip route list match 0/0)
openvpn --config /etc/openvpn/unblockvpn.ovpn
new=$(ip route list match 0/0)
ip route del 0/0
ip route add $save
ip route add $new table openvpn

osor 07-03-2009 06:33 PM
Btw, I did not say so explicitly, but step 3 should not be performed more than once (even after rebooting), since you are writing to a persistent file (namely /etc/iprotue2/rt_tables). Technically, you don’t need to do this, but it makes life easier to talk about the “openvpn” table rather than to “100” table. So make sure (in a text editor) that this file has only one line equating 100 and openvpn.

amaj1407 07-03-2009 10:13 PM
I meant by "no effects" that there are no traffic go through the tunnel, it acts like if I didn't run openvpn.

Quote:
You seem to have forgotten the “table” specifier.
I didn't forget but I copied the wrong command, sorry my bad.

Quote:
This has not been commented out as you described.
Yes I already commented out "redirect-gateway" when I did those steps but I appended the original file - which has that line uncommented -. The first step, which is
Code:
echo "100      openvpn" >> /etc/iproute2/rt_tables
I only applied it once even after rebooting I didn't apply it. Also there is only one line with 100 in /etc/iproute2/rt_tables.

I'll show the routing table before and after running openvpn.

Before running openvpn:
Code:
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
192.168.100.0  *              255.255.255.0  U    0      0        0 eth1
loopback        *              255.0.0.0      U    0      0        0 lo
default        192.168.100.1  0.0.0.0        UG    0      0        0 eth1

After running openvpn with commenting out "redirect-gateway":
Code:
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
net-77-78-108-1 *              255.255.255.128 U    0      0        0 tap0
192.168.100.0  *              255.255.255.0  U    0      0        0 eth1
loopback        *              255.0.0.0      U    0      0        0 lo
default        192.168.100.1  0.0.0.0        UG    0      0        0 eth1
from this table I see that openvpn created a default route for tap0 device but it didn't affect eth1 device witch is only connected to internet. So how to make tap0 speak to eth1?


After running openvpn without commenting out "redirect-gateway":
Code:
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
eu.finevpn.com  192.168.100.1  255.255.255.255 UGH  0      0        0 eth1
net-77-78-108-1 *              255.255.255.128 U    0      0        0 tap0
192.168.100.0  *              255.255.255.0  U    0      0        0 eth1
loopback        *              255.0.0.0      U    0      0        0 lo
default        eu-129.finevpn. 0.0.0.0        UG    0      0        0 tap0
The $save and $new in the script you supplied are the same without running openvpn or running it with commenting out "redirect-gateway", so they may not help but they differ when running openvpn without commenting out.

in the first 2 cases - which are without running openvpn or running it with commenting out "redirect-gateway" - the result of
Code:
ip route list match 0/0
is
Code:
default via 192.168.100.1 dev eth1
but with the third case -running openvpn without commenting out- the result is
Code:
default via 77.78.108.129 dev tap0

Thank you for your kindness and patience.

amaj1407 07-05-2009 09:28 AM
can any one help?

osor 07-05-2009 02:10 PM
Quote:
Originally Posted by amaj1407 (Post 3597354)
can any one help?
Common netiquette dictates that when bumping your own thread, indicate some details about what you have done in the meanwhile. You have two posts that are 35.25 hours apart, yet you have not detailed any further experimentation possibly performed in this time frame! For example, have you tried using the TUN driver (rather than TAP)? Have you tried saving and restoring the route when using the uncommented config file?

From all I can see, it should be working correctly, unless I am missing something simple. You can always try further experimentation, such as blackholing the openvpn table to make sure that tunnel_me’s traffic actually flows through it, or adding some logging rules to iptables. If you can’t get it to work, you can always try virtualization, though in this case, it seems like overkill.


All times are GMT -5. The time now is 11:21 PM.