Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 02-18-2013, 04:02 PM   #1
LQ Newbie
Registered: Jan 2012
Posts: 7

Rep: Reputation: Disabled
How to route specific users/processes via OpenVPN

I've got a system containing many things; httpd server, mail server and other server software. Now, I need to set up a VPN connection, but only for one user (or more specific, 1-2 programs that that user uses). So, in short: A specific user should be routed through the VPN interface while the rest of the system is using the default gateway.

When I try to open a VPN connection it automatically create routes for the whole system and therefore affect everything else on the system as well.

Does anyone know how to do this? Can it be done with Iptables?

Best regards
Robert Nilsson

Last edited by nuvista175; 02-19-2013 at 02:44 PM.
Old 02-21-2013, 09:00 AM   #2
LQ Newbie
Registered: May 2007
Location: Berlin, FRG
Distribution: Ubuntu
Posts: 22

Rep: Reputation: 4
It might be possible to setup OpenVPN in a way that does not change the
default gateway to be addressed through the /dev/tunX device and then
to setup that device as gateway interface for a/some specified networks.
But this can not be done for the net traffic of specific user accounts.
iptables is meant to filter/redirect/etc. packets based on attributes
of those packets and their (TCP/pseudo-)connections,
but user ids are not part of these.

I think Your best bet is to use SSH port forwarding instead.
Read up on options "-L" and "-R" in the ssh(1) man page and(or
read this.
An alternative might be prtunnel.

I hope this helps.
Old 02-22-2013, 02:30 AM   #3
LQ Newbie
Registered: Jan 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks Jebram

Why I was thinking about iptables was that read something describing the '-j MARK' target. I was playing around with things like:
-A OUTPUT -m owner --uid-owner [osuser] -j MARK --set-xmark 0x1

and then trying to use ip route and ip rule to have those packages routed through the VPN interface, rather than through the default gateway. I'm not sure if I'm doing this right, but it looks kind of ok, but off course it doesn't work
My other problem is that immediately after the VPN connection is initiated (service openvpn start), the servers default route is modified - to fit the VPN. This means that all traffic is going though the VPN. The /etc/openvpn/vpn.conf looks like this:

dev tap
proto udp
remote XXXXXX 1194
remote XXXXXX 1195
resolve-retry infinite
auth-user-pass [pathtopwdfile]
ca [pathtocertificate]
ns-cert-type server
reneg-sec 0
verb 3



openvpn, routes

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Openvpn route LeHibou2 Linux - Networking 2 02-14-2013 12:54 PM
openvpn push route priority over existing route lievendp Linux - Networking 0 06-22-2012 07:52 AM
[SOLVED] Advanced route [ route 2 specific destinatoion ] fritz001 Linux - Networking 3 01-23-2012 03:23 AM
[SOLVED] Sendmail - Accept mails to unknown users and route specific user kingkashif Linux - Server 2 07-31-2009 05:23 PM
Could not route in OpenVPN Server depam Linux - Software 0 03-23-2009 01:00 AM

All times are GMT -5. The time now is 11:45 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration