LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Routing packets through VPN and normal connection (https://www.linuxquestions.org/questions/linux-networking-3/routing-packets-through-vpn-and-normal-connection-879902/)

Icovada 05-10-2011 03:43 PM
Routing packets through VPN and normal connection
 
I have a router/modem linux box, connection to DSL through PPP.
I also use an OpenVPN service, to which this box connects.

My problem is that the speed cap of the VPN is just half that of the DSL connection. I don't need it for internet browsing. Is there a way I can route all the http traffic coming from the client computers (or all of the traffic will do too) through the normal connection?

In other words, now I have

Client(s) ----> Router/modem ---> VPN --->Internet.

I want something like

---http_traffic--->Internet
Client(s) ----> Router/modem ---> VPN --->Internet.

Can this work? What route and iptables commands should I use?
As of now I can only route all traffic either on VPN or normal PPP

ambrop7 05-10-2011 03:57 PM
In the following thread I explain how to forward all TCP into a VPN, and everything else directly. It should be easy to adapt to your requirements. The guide starts with a configuration where everything goes directly.

http://www.linuxquestions.org/questi...9/#post4351187

Icovada 05-10-2011 06:25 PM
Thank you but your guide explains how to route a client computer's traffic on a VPN.

What it is that I want is the local traffic to be VPN'ed, and the clients' not to!

ambrop7 05-10-2011 07:04 PM
Quote:
Originally Posted by Icovada (Post 4352492)
Thank you but your guide explains how to route a client computer's traffic on a VPN.
More generally, it explains how to have two default routes, and an iptables rule to choose which default route is to be used. If the rule matches, the first one (in my case the one in the tcp_tun2socks table) will be used, otherwise the second one (real_default table).

An example of how your goal can be achieved:

routing table main: has all routes, except default gateways
routing table default_direct: has default gateway via ISP's router
routing table default_vpn: has default gateway via VPN

ip rules (output of "ip rule show"):
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
40000: from all fwmark 0x100/0x100 lookup default_direct
40001: from all lookup default_vpn

iptables rules:
iptables -t mangle -A PREROUTING -i <lan_iface> -p tcp --dport 80 -j MARK --or-mark 0x100

It's really the same thing as the guide, expect with different names for routing tables and a different iptables match.

Icovada 05-11-2011 01:35 AM
Oh so I gues s that's why it wasn't working, I thouthg that by adding the default routes to the different tables one would be ok. I had to add the routes to the tables too. My bad. Thank you, I'll try and get back to you!

Icovada 05-11-2011 04:10 AM
Alright, I am ashamed of myself but I can't seem to make it work.
This is what the tables look like when just the ppp connection is on.

I hope this helps. All I can do for now is either get all traffic on ADSL _or_ VPN, despite following what you said.
Obviously I am doing something wrong.

ifconfig
Code:
eth0      Link encap:Ethernet  HWaddr redacted            //LAN interface
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80:redacted/60 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4729332 errors:8 dropped:0 overruns:0 frame:8
          TX packets:6389712 errors:0 dropped:0 overruns:0 carrier:1
          collisions:0 txqueuelen:1000
          RX bytes:2973991267 (2.9 GB)  TX bytes:2826129936 (2.8 GB)
          Interrupt:44

eth1      Link encap:Ethernet  HWaddr redacted            //External interface
          inet6 addr: fe80:redacted/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10551909 errors:0 dropped:70 overruns:0 frame:0
          TX packets:8575172 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:164284570 (164.2 MB)  TX bytes:2255856413 (2.2 GB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:471904 errors:0 dropped:0 overruns:0 frame:0
          TX packets:471904 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:49206750 (49.2 MB)  TX bytes:49206750 (49.2 MB)

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:79.41.151.37  P-t-P:192.168.100.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:17 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:4866 (4.8 KB)  TX bytes:2739 (2.7 KB)
route
Code:
192.168.100.1  *              255.255.255.255 UH    0      0        0 ppp0
192.168.1.0    *              255.255.255.0  U    0      0        0 eth0
link-local      *              255.255.0.0    U    1000  0        0 eth0
default        192.168.100.1  0.0.0.0        UG    0      0        0 ppp0
ip rule ls
Code:
0:        from all lookup local
32766:        from all lookup main
32767:        from all lookup default
ip route ls
Code:
192.168.100.1 dev ppp0  proto kernel  scope link  src 79.41.151.37
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
169.254.0.0/16 dev eth0  scope link  metric 1000
default via 192.168.100.1 dev ppp0
When the VPN is on...

ifconfig
Code:
[...]
tap0      Link encap:Ethernet  HWaddr f6:56:47:6d:c6:8c 
          inet addr:178.73.218.233  Bcast:178.73.218.255  Mask:255.255.255.0
          inet6 addr: fe80::f456:47ff:fe6d:c68c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:336 (336.0 B)  TX bytes:1204 (1.2 KB)
route
Code:
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
192.168.100.1  *              255.255.255.255 UH    0      0        0 ppp0
178.73.212.234  192.168.100.1  255.255.255.255 UGH  0      0        0 ppp0
192.168.1.0    *              255.255.255.0  U    0      0        0 eth0
178.73.218.0    *              255.255.255.0  U    0      0        0 tap0
link-local      *              255.255.0.0    U    1000  0        0 eth0
default        178.73.218.1    128.0.0.0      UG    0      0        0 tap0
128.0.0.0      178.73.218.1    128.0.0.0      UG    0      0        0 tap0
default        192.168.100.1  0.0.0.0        UG    0      0        0 ppp0
ip route ls
Code:
192.168.100.1 dev ppp0  proto kernel  scope link  src 79.41.151.37
178.73.212.234 via 192.168.100.1 dev ppp0
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
178.73.218.0/24 dev tap0  proto kernel  scope link  src 178.73.218.233
169.254.0.0/16 dev eth0  scope link  metric 1000
0.0.0.0/1 via 178.73.218.1 dev tap0
128.0.0.0/1 via 178.73.218.1 dev tap0
default via 192.168.100.1 dev ppp0

ambrop7 05-11-2011 04:24 AM
Quote:
Originally Posted by Icovada (Post 4352937)
Alright, I am ashamed of myself but I can't seem to make it work.
Are you messing with me? You haven't really done anything that I've told you. Why do you come asking for help if you fail to follow the instructions given?!

1) you still have the two default routes in the "main" routing table, rather than having one in "default_direct" and one in "default_vpn",
2) you haven't added the "ip rules" for these two routing tables,
3) you haven't added the iptables command which marks packets,
4) you probably haven't disabled the Reverse Path Filter as well.

If your VPN client or PPPOE client is adding its default route directly into the "main" routing table, I can't help you with that. Consult the VPN/PPPOE client's documentation on how to make the route go into a specific routing table.

Icovada 05-11-2011 07:38 AM
It is working now. Thank you.
In the end I've put a general default route for the VPN and a specific one for the clients, and it is working now.

My question now is, how can I make sure the configuration persists through reboots?
Which files do I have to edit?

ambrop7 05-11-2011 10:34 AM
Quote:
Originally Posted by Icovada (Post 4353174)
It is working now. Thank you.
In the end I've put a general default route for the VPN and a specific one for the clients, and it is working now.

My question now is, how can I make sure the configuration persists through reboots?
Which files do I have to edit?
You can put any /proc/sys option into /etc/sysctl.conf, for example:
net.ipv4.conf.ppp0.rp_filter = 2

For iptables, most distros have init scripts that call iptables-save and iptables-restore.

I'm not aware of any general mechanism for "ip rule" rules. Just make an init script or something to add/remove these rules.

As far as the default routes go, consult the documentation of the VPN and PPPOE clients to see how you can take control of the routes they generate. For example, with OpenVPN this seems to be doable using "--route-noexec --route-up <script>", which allows your script to add/remove routes.

Icovada 05-11-2011 02:35 PM
Thank you very much. One more thing - is there a way to set up a double default route so that if the VPN suddenly disconnects the server will instead connect to the normal internet on its own without having to reconfigure everything?


All times are GMT -5. The time now is 03:52 PM.