LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-21-2013, 02:13 PM   #1
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Rep: Reputation: 13
Dynamically Selecting What Goes Through OpenVPN?


Is there a relatively easy way to selecting what goes through a VPN and what doesn't? Some times I would like my browser traffic to go through a VPN to avoid censorship, but other times I need the security of a 'direct' connection. Also, some applications like Deluge should never go through my VPN and others should only go through a VPN?

Thanks
 
Old 07-22-2013, 09:54 AM   #2
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
I think you should play a little bit with routing (iproute2 stuff + iptables)
 
Old 08-01-2013, 01:24 PM   #3
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Is there a way to specify specific programs with routing? I don't really have IP addresses to route the traffic to, which is what route seems to comprise of.
 
Old 08-01-2013, 01:37 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
That's where iptables comes into the picture.

You can route based on other criteria than destination address, although indirectly in some cases. Look into these topics:
  • marking packets with iptables using the "mangle" table
  • creating alternate routing tables with the ip route command
  • creating ip rules with the ip rule command
If you provide a specific scenario, I may be able to come up with an example.
 
Old 08-01-2013, 01:50 PM   #5
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
You can use ports to tell how to route traffic... plus a lot of other criteria. man iptables.
 
Old 08-01-2013, 02:04 PM   #6
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Quote:
Originally Posted by Ser Olmy View Post
That's where iptables comes into the picture.

You can route based on other criteria than destination address, although indirectly in some cases. Look into these topics:
  • marking packets with iptables using the "mangle" table
  • creating alternate routing tables with the ip route command
  • creating ip rules with the ip rule command
If you provide a specific scenario, I may be able to come up with an example.
Unfortunately the man page for iptables contains lots of jargon for me. Talking about chains, packets, tables, etc.

Scenario: My VPN often uses tun0 or 10.0.0.1 onwards, my normal LAN uses eth0 on 192.168.0.1 (my router). "get_iplayer" won't download over my works VPN as they're not UK based for their IT centre, so I'd like that to be routed through my normal gateway. Thank you very much. Please do let me know what other information you need.
 
Old 08-01-2013, 02:30 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
So your system uses the tun0 interface for all traffic while the VPN connection is active, but you'd like iPlayer to use 192.168.0.1 instead, right?

Since iPlayer is just an application/plugin accessing the BBC media servers, you should in fact be able to do this with simple routing. A quick Google search seems to indicate that the BBC uses the subnets 212.58.0.0/16 and 212.62.0.0/16, so you could try this:
Code:
route add -net 212.58.0.0/16 gw 192.168.0.1
route add -net 212.62.0.0/16 gw 192.168.0.1
 
1 members found this post helpful.
Old 08-01-2013, 03:00 PM   #8
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
or like this:

Code:
ip route add 212.58.0.0/16 via 192.168.0.1
ip route add 212.62.0.0/16 via 192.168.0.1
Fair enough?
 
1 members found this post helpful.
Old 08-01-2013, 11:48 PM   #9
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Whilst that is fantastically simple and helpful, I think that was a bad example as its limited to a single range of IPs. Let's say Transmission, my bit torrent client?

As a side question, do most companies and websites have a whole range of IP addresses?

Edit: I've just read the these changes aren't permanent, and to save them following a reboot, I need to add stuff to /etc/network/interfaces. I added this as adapted from here, does it look ok and correct? It doesn't look like it will break my network and leave me without internet?

Code:
# Force iPlayer traffic through the local-network
up route add -net 212.58.0.0/16 gw 192.168.0.1
up route add -net 212.62.0.0/16 gw 192.168.0.1

Last edited by NotAComputerGuy; 08-02-2013 at 12:09 AM. Reason: Further information request and detail on saving changes
 
Old 08-02-2013, 08:46 AM   #10
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
Bittorrent will probably use a prefined protocol (udp/tcp) and port, you can use that combination to mark it in MANGLE of PREROUTING with iptables and then set a routing rule to route traffic with said mark to go through GW x.

from iptable's man page:

Code:
   MARK
       This target is used to set the Netfilter mark value associated with the packet.  It can, for example, be used  in  conjunction  with  routing  based  on  fwmark  (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing.  The mark field is 32 bits wide.
 
Old 08-02-2013, 10:51 AM   #11
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Quote:
Originally Posted by eantoranz View Post
from iptable's man page:

Code:
   MARK
       This target is used to set the Netfilter mark value associated with the packet.  It can, for example, be used  in  conjunction  with  routing  based  on  fwmark  (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing.  The mark field is 32 bits wide.
Individually I understand all but a few of those words. Combine them and I have no idea what it's talking about. I understand from research that data goes in 'packets', and if these packets are numbered then they are TCP, otherwise they arrive when they arrive in no particular order then it'd UDP. I don't know how to tell if a program is TCP or UDP. Depending what you Google depends on what is used for Torrents, TCP or UDP.
 
Old 08-02-2013, 11:24 AM   #12
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
You could set one (or many.... if there is more than one port) rule for UDP and another for TCP so you can cover both types of traffic.
 
1 members found this post helpful.
Old 08-02-2013, 11:48 AM   #13
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
Quote:
Originally Posted by NotAComputerGuy View Post
Individually I understand all but a few of those words. Combine them and I have no idea what it's talking about. I understand from research that data goes in 'packets', and if these packets are numbered then they are TCP, otherwise they arrive when they arrive in no particular order then it'd UDP. I don't know how to tell if a program is TCP or UDP. Depending what you Google depends on what is used for Torrents, TCP or UDP.
Not quite. IP packets contain a header with a source address, a destination address, a protocol type and a few other options. There are a number of IP (sub)protocols (take a look in /etc/protocols for an incomplete list), and the two most popular are TCP and UDP. Another protocol you're probably familiar with is ICMP, used to send Echo Request packets (ping) and those dreaded "destination host unreachable" messages, among other things.

If the IP header identifies the packet as a TCP packet, the IP header will be followed by a TCP header. TCP packets have a source and a destination port, a number between 1 and 65535. TCP-based server applications listen on a specific port, and client requests will also originate from a port, usually more or less randomly selected. UDP works much the same way, but without all the error-detection and retransmission mechanisms found in TCP.

iptables can manipulate packets based on header information. While routing usually deals exclusively with destination addresses, it is possible to set up multiple routing tables and use iptables and ip rule to select the right table based on information in the packet, like source or destination port numbers.

Here's an example that sets up a packet marking rule in the "mangle" table for all packets coming from TCP port 10000, creates an alternate routing table that sends all traffic to 192.168.0.1, and then creates an IP rule directing all marked packets to the alternate table:
Code:
# Mark all packets coming from TCP port 10000. These "marks" exist
# only as labels inside the Linux kernel, and a "mark" by itself
# does nothing. The OUTPUT chain deals with locally generated
# packets.
iptables -t mangle -A OUTPUT -p tcp --sport 10000 -j MARK --set-mark 55

# Create a routing table called "7" directing all packets to
# 192.168.0.1. The table will not be used until an IP rule is
# created.
ip route add table 7 0.0.0.0/0 via 192.168.0.1

# Create an IP rule directing all marked packets to table 7.
ip rule add fwmark 55 table 7
A Bittorrent application is both a server and a client, as Bittorrent is a peer-to-peer protocol. Another thing that complicates the picture is that there is no dedicated "Bittorrent" TCP or UDP port number; it can use ports in the entire port range. It may listen for incoming connections on a specific port, but there's no guarantee that the application will use this port as the source port for all outgoing requests. If it does, then the above example should work if you change the port number to whichever port Transmission is using. If it doesn't, another selection criteria must be used.

It's not possible to filter/select packets based on the name of the process that generated them, and a process name is not unique anyway. It used to be possible to select packets based on the process ID
Code:
iptables -t mangle -A OUTPUT -m owner --pid-owner XXX -j MARK --set-mark 55
This match type is deprecated as it didn't work properly and couldn't be fixed. Besides, the PID of a process will be different each time the application is started, so it wouldn't really be terribly useful anyway.

A possible solution would be to start the application as a different (perhaps dedicated) user and use the "--uid-owner" match:
Code:
iptables -t mangle -A OUTPUT -m owner --uid-owner 2000 -j MARK --set-mark 55
This way, packets from any application started by that particular user will be routed to the alternate gateway.

Last edited by Ser Olmy; 08-02-2013 at 11:50 AM.
 
1 members found this post helpful.
Old 08-03-2013, 02:56 AM   #14
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Wow that is complicated. What would you suggest the best (hardest to mess up) avenue to go down be?

Edit: See below for some form of very newbie newbielike logic.

Last edited by NotAComputerGuy; 08-03-2013 at 09:38 AM.
 
Old 08-03-2013, 07:02 AM   #15
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Ok, so deluged is now running as the user 'deluge' with a UID of 108.

If I want to mark all packets, TCP or UDP packets owned by deluge, I think I do:
Code:
iptables -t mangle -A OUTPUT -m owner --uid-owner 108 -j MARK --set-mark 55
This marks it to go through the 'mangle' table. So to create a mangle table I need to do this:
Code:
ip rule add fwmark 55 table 7
And then I need to do something with all the traffic sent through that table. Which in my case, I want to go through my local router, and therefore I do this:
Code:
ip route add table 7 0.0.0.0/0 via 192.168.0.1
Does that look right? Is my logic correct?

Last edited by NotAComputerGuy; 08-03-2013 at 09:35 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Directing OpenVPN client's traffic through the OpenVPN server mohtasham1983 Linux - Networking 1 01-17-2012 06:44 PM
OpenVPN assigning public & static IPs to pcs/devices behind an OpenVPN client dgonzalezh Linux - Networking 6 07-18-2010 09:50 AM
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 02:20 AM
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 02:42 AM
Error When converting Routing OpenVPN to bridge mode openvpn danmartinj Linux - Software 0 11-06-2009 09:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration