Adapting firewall rules to access local network without going through VPN

binkyd · 05-19-2021, 04:03 PM

Linux Mint's Warpinator doesn't work with a VPN connected.
Would it be possible to write firewall rules that would allow that app to not use the VPN?

(Split-tunneling doesn't work, cuz that still goes out to the Internet, doesn't stay local.)

Could these old kill-switch rules (below) be adapted, maybe?

Code:

sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any
sudo ufw allow out from any to <address of vpn>
sudo ufw enable
sudo ufw status

dfog · 05-20-2021, 03:22 AM

I guess it depends on some variables.
Your network structure?
Do you run a local dns server (e.g. dnsmasq)?

What is the non-VPN network configuration?
What is the VPN configuration? Does this edit the nameservers? I figure your VPN is applied "system-wide", is it?

Do you connect in warpinator using names or by IP?
I don't know warpinator. It should have 42000 port reserved, that port could be routed away from your VPN.

binkyd · 05-20-2021, 05:30 AM

the local network is through the ISP's modem/router and it uses DHCP ; warpinator connects so far by name.
And yes, it does use port 42000 - how would I route it away from the VPN? Sounds like my solution, that does. Thanks.

dfog · 05-20-2021, 06:32 AM

If warpinator name resolution occurs at port 53, it gets painful. You may need to merge local and remote names.
Depending on your ISP router this could require a gateway system in order to grant that remote names comes from the VPN while the local ones are from the dhcp server. Likely it will resolve both if it works as DNS server, in that case the gateway system should run a dns service.

Else, in case warpinator discovers devices on his own port,
something like:
(in case your network interface is eth0)

iptables -t nat -A PREROUTING -i eth0 -p tcp -d 127.0.0.1 --dport 42000 -j DNAT --to-destination $yourISProuterIP:42000
iptables -t nat -A PREROUTING -i eth0 -p udp -d 127.0.0.1 --dport 42000 -j DNAT --to-destination $yourISProuterIP:42000

should route your traffic across 42000 into your ISp router (which should be the same occurring without the VPN).
Please note that this would require your ISP router for warpinator to work (if you are on laptop, it could be disappointing).

It would be simpler if your VPN works as a virtual network interface rather than recofiguring the current one.
In that case something like
iptables -A PREROUTING -p tcp --dport 42000 -i eth0
iptables -A PREROUTING -p udp --dport 42000 -i eth0

should be enought to avoid warpinator to be tunneled in tun0 (or whatever).
In this case warpinator would be bound to an interface (always the same, even if you switch across multiple interfaces, like wlan0/eth0).

I don't know neither how warpinator discovers thee devices nor how is your managed your vpn connection.