[SOLVED] If terminal needs to download or upgrade does it bypass my vpn?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: native install of Parrot Home Edition 5.0 Debian (no security tools) 64 bit, KDE, 5.14.0-9parrot1,
Posts: 872
Original Poster
Rep:
Quote:
Originally Posted by computersavvy
What was or was not in use at the time is immaterial to the routing table. You are asking about traffic which does not show when looking at routing.
Since both synpatic and terminal are deemed applications and vpn's are meant to direct all traffic, does that mean both are going thru the vpn client? Synaptic package manager accesses external repo's only?I do not have an internal repo to access.
Quote:
Originally Posted by computersavvy
The only thing critical is that the vpn should be connected so we can analyze what actually is being done by the routing.
I did spot my vpn ip multiple times in the routing results when I ran
Code:
/sbin/route
based on seeing the vpn ip the in results can we say:
- a gui synaptic package manager will go thru your vpn client?
- that when you use terminal to download something from your distro's repo the traffic will go thru your vpn client?
Does using synaptic package manager falls fall into the external package repository category? If yes then it would not go thru my vpn?
An example of an internal package repository would be a company with it's own repo? I guess individuals can have their own repo's too?
Did you mean to say "does depend"?
No, I wanted to say it does not depend on the app itself, whether it is apt, synaptic, wget, curl, firefox or whatever else you might use to connect to another host.
Quote:
Originally Posted by linux-man
Synaptic package manager only works thru the gui whether your at work for a company or not?
Synaptis is a graphical tool (not a command line tool).
Quote:
Originally Posted by linux-man
If your at your workplace and you used terminal to download an item from your workplace distro's repo would that go thru the company vpn?
No, if my PC is already connected to that corporate network I don't need to use vpn to reach internal resources.
Quote:
Originally Posted by linux-man
If you were at home on your personal computer using a vpn client downloaded onto your linux desktop and you used terminal to download an item from your personal computer's distro's repo would it go thru the vpn? What about your package manager?
If you mean the corporate vpn I don't need that at all to download anything from the net, it is only required if I want to reach anything inside. Including package manager, terminal or any other tool.
You need to think about vpn as a "highway" (or tunnel), it connects two points together, let's say it connects two subnets together. Because of the nature of this highway you don't need to take care of any distance, any problems (during the travel), because virtually these subnets are just connected to each other (reachable using this protected highway) despite the fact the connection itself goes thru a lot of insecure and open hosts.
Your router will tell to your host (in case of a request) if a (tcp/ip) package should go thru this highway or should find another way to reach its destination. (that's why it is called roouter).
Router has no idea where is this package coming from, if it was initiated by a program, gui, terminal, kernel, whatever, it is not important.
In may case the two subnets are my local home network and the corporate network and I can only reach company resources if I use this highway, there is no other route to internal hosts. But obviously the usage of it is allowed only for members.
Distribution: native install of Parrot Home Edition 5.0 Debian (no security tools) 64 bit, KDE, 5.14.0-9parrot1,
Posts: 872
Original Poster
Rep:
Quote:
Originally Posted by pan64
If you mean the corporate vpn I don't need that at all to download anything from the net, it is only required if I want to reach anything inside. Including package manager, terminal or any other tool.
Router has no idea where is this package coming from, if it was initiated by a program, gui, terminal, kernel, whatever, it is not important.
If a retiree i.e. someone not working in a corporate setting, needed to download something from their official distro's repo using terminal commands, and the retiree has vpn client switched on i.e. connected to a random foreign IP, will these terminal commands get tunnelled via the vpn client? If yes then are you also saying the router not the vpn client decides if this gets tunnelled? Does synaptic go thru the vpn tunnel in this example too?
it is the router, that decides where to go, so you need to configure your router to be able to decide. When we start a vpn client, it usually tells the router the address range that can be reached with the tunnel (the router is informed about the new tunnel). Again, when you shut down your vpn client it will tell the router that the tunnel is not available any more. A random foreign ip is usually not tunneled, but occasionally it might be if it belongs to that address range.
(I don't know what kind of vpn do you have, how is it configured and what url do you want to reach, but your router does know the direction to use)
A router acts as a director of traffic and all traffic reaching it is sorted and directed by the routing table on the router itself. Once a VPN is connected the gateway router sees that as a connection that is established and simply routes the traffic accordingly.
A PC that originates a VPN acts similarly. The routing table on the PC also sorts and directs traffic. When the VPN is active the pc routing table has 2 routes of interest.
Traffic is sorted and that designated as for routing via the VPN is directed to the tun0 device while all other traffic is sent to the local net or the gateway router. This means the local routing table on the PC is important so that apps connecting to an ip via the tunnel can be directed properly. Traffic not directed to an ip via the tunnel is sent via the default routing.
What this means is that there is a traffic split in the highway directly on the PC and tunnel traffic is separated from the remainder before it ever leaves the PC. The gateway router has no control over the traffic via the VPN that originates on the PC.
It also means the routing on the PC itself is critical to answering the original question here.
Last edited by computersavvy; 12-15-2023 at 08:59 AM.
If your VPN is configured to route all traffic thru it, then it will route all traffic thru it. It makes no difference if that traffic is the result of the OS or an app you ran from a gui or from a terminal or from voice assistant, that is irrelevant. Traffic is traffic.
If you will simply post, using "code tags," the exact output of your route command, and tell us what URL or IP-address you are trying to connect to, we will now very-patiently explain it to you.
The route command applies a very specific set of rules to every IP-address that is presented to the Linux network-stack for delivery, telling it which "network interface" should handle the traffic, and which address is the "gateway." The final rule is a "catch-all" which handles everything else, and the rules are applied top-to-bottom.
Your VPN inserts itself into that list at one or more places, using a "virtual network device" to divert the traffic to its own software.
Distribution: native install of Parrot Home Edition 5.0 Debian (no security tools) 64 bit, KDE, 5.14.0-9parrot1,
Posts: 872
Original Poster
Rep:
Quote:
Originally Posted by computersavvy
...Traffic not directed to an ip via the tunnel is sent via the default routing.
is /sbin/route the only command that will show if synaptic and terminal are being directed to the vpn tunnel?
Quote:
Originally Posted by computersavvy
Once a VPN is connected the gateway router sees that as a connection that is established and simply routes the traffic accordingly.
But not necessarily all traffic?
Quote:
Originally Posted by computersavvy
When the VPN is active the pc routing table has 2 routes of interest.
Traffic is sorted and that designated as for routing via the VPN is directed to the tun0 device while all other traffic is sent to the local net or the gateway router.
Is there a way to tell if synaptic and terminal commands are designated for routing via the VPN tun0 device? By defualt does this vary on linux distro's?
Quote:
Originally Posted by computersavvy
The routing table on the PC also sorts and directs traffic.
So there are two routers and 2 routing tables, one external one connected to wall socket and another within the PC?
Quote:
Originally Posted by computersavvy
...the routing on the PC itself is critical to answering the original question here...the local routing table on the PC is important so that apps connecting to an ip via the tunnel can be directed properly....The gateway router has no control over the traffic via the VPN that originates on the PC....traffic split in the highway directly on the PC and tunnel traffic is separated from the remainder before it ever leaves the PC
You're missing the point. It has nothing to do with what app you use it from. It's like you're not reading what people reply with. It depends where you're connecting to. Only. If you have all traffic set to go thru the vpn, then all traffic will go thru the VPN. It has nothing to do with OS or distro or anything like that - you could run a vpn client on your router for example if you wanted and get the same thing.
If you configured your vpn to only apply to certain domain or ip range, then only connections to that domain or ip range would go thru the VPN. Like for a corporate vpn, you might configure it to only apply for companyname.net adresses, but let everything else go straight to the internet. In that kinda case, companyname.net is probably not even accessible directly from the internet, they will have companyname.com as their public website which is unrelated to the internal network you use the vpn to join. This would likely be preconfigured by the company's IT department for you so you could work from home, but if you do regular web browsing, it won't appear to be coming from the companies IP, it'll be coming from yours.
additionally it is not the app (terminal, synaptic, firefox, whatever) which manages the network connection(s), routing and related things. None of them is capable to do that. They know in most cases just an URL, hostname or something similar, and the OS itself (including the kernel and some services) will do the real routing, network communication, data transfer.
Distribution: native install of Parrot Home Edition 5.0 Debian (no security tools) 64 bit, KDE, 5.14.0-9parrot1,
Posts: 872
Original Poster
Rep:
Quote:
Originally Posted by computersavvy
I have this using "ip route show"
Code:
default via 192.168.4.1 dev wlp5s0 proto dhcp src 192.168.4.111 metric 600
192.168.4.0/22 dev wlp5s0 proto kernel scope link src 192.168.4.111 metric 600
192.168.124.0/24 dev virbr0 proto kernel scope link src 192.168.124.1
and this using "route"
Code:
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway.home.do 0.0.0.0 UG 600 0 0 wlp5s0
192.168.4.0 0.0.0.0 255.255.252.0 U 600 0 0 wlp5s0
192.168.124.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
Distribution: native install of Parrot Home Edition 5.0 Debian (no security tools) 64 bit, KDE, 5.14.0-9parrot1,
Posts: 872
Original Poster
Rep:
Quote:
Originally Posted by computersavvy
... the routing table, complete, shows what is directed to which interface.
Editing the output hides what the routing is doing and makes analysis impossible.
Distribution: native install of Parrot Home Edition 5.0 Debian (no security tools) 64 bit, KDE, 5.14.0-9parrot1,
Posts: 872
Original Poster
Rep:
Quote:
Originally Posted by enigma9o7
If you have all traffic set to go thru the vpn, then all traffic will go thru the VPN. It has nothing to do with OS or distro or anything like that ...If you configured your vpn to only apply to certain domain or ip range, then only connections to that domain or ip range would go thru the VPN.
Configuring all traffic to go thru the vpn is soley by the pc routing table?
To check if all traffic is going thru my vpn I would use use /sbin/route? The vpn client settings do not decide configuration rather the pc routing table decides?
It does not show my ip at 193.142.xxx.xxx
example...
Code:
glenn@GamesBox ~ $ ip route show
0.0.0.0/1 via 10.8.1.1 dev tun0
default via 172.20.10.1 dev eth0 proto dhcp src 172.20.10.2 metric 100
10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.9
128.0.0.0/1 via 10.8.1.1 dev tun0
172.20.10.0/28 dev eth0 proto kernel scope link src 172.20.10.2 metric 100
213.232.87.125 via 172.20.10.1 dev eth0
glenn@GamesBox ~ $ route
bash: route: command not found
glenn@GamesBox ~ $ su
Password:
root@GamesBox:/root route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.1.1 128.0.0.0 UG 0 0 0 tun0
default 172.20.10.1 0.0.0.0 UG 100 0 0 eth0
10.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.8.1.1 128.0.0.0 UG 0 0 0 tun0
172.20.10.0 0.0.0.0 255.255.255.240 U 100 0 0 eth0
213.232.87.125 172.20.10.1 255.255.255.255 UGH 0 0 0 eth0
root@GamesBox:/root
Code:
whois 213.232.87.125
...
netname: NORDVPN-...
...
so, just show it to us so we can see if it all links up before it goes into the vpn tunnel. :-)
btw, how does mine look?
Last edited by GlennsPref; 12-15-2023 at 08:21 PM.
Reason: snip
Distribution: native install of Parrot Home Edition 5.0 Debian (no security tools) 64 bit, KDE, 5.14.0-9parrot1,
Posts: 872
Original Poster
Rep:
Quote:
Originally Posted by GlennsPref
It does not show my ip at 193.142.xxx.xxx
example...
Code:
glenn@GamesBox ~ $ ip route show
0.0.0.0/1 via 10.8.1.1 dev tun0
default via 172.20.10.1 dev eth0 proto dhcp src 172.20.10.2 metric 100
10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.9
128.0.0.0/1 via 10.8.1.1 dev tun0
172.20.10.0/28 dev eth0 proto kernel scope link src 172.20.10.2 metric 100
213.232.87.125 via 172.20.10.1 dev eth0
glenn@GamesBox ~ $ route
bash: route: command not found
glenn@GamesBox ~ $ su
Password:
root@GamesBox:/root route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.1.1 128.0.0.0 UG 0 0 0 tun0
default 172.20.10.1 0.0.0.0 UG 100 0 0 eth0
10.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.8.1.1 128.0.0.0 UG 0 0 0 tun0
172.20.10.0 0.0.0.0 255.255.255.240 U 100 0 0 eth0
213.232.87.125 172.20.10.1 255.255.255.255 UGH 0 0 0 eth0
root@GamesBox:/root
Code:
whois 213.232.87.125
...
netname: NORDVPN-...
...
so, just show it to us so we can see if it all links up before it goes into the vpn tunnel. :-)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.