:: Re: [DNG] OpenVPN - routing things …
Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMonefang at <-
MMonefang at ->
Delete this message
Reply to this message
Author: Boian Bonev
Date:  
To: Ralph Ronnquist, dng
Subject: Re: [DNG] OpenVPN - routing things TO the OpenVPN server.
Hi,

Let's get practical and use the simplest way that I know ;)

Assume your server is X.X.X.X, openvpn is UDP (it is not a good idea to
use TCP, but that is a another topic) to port YYYY, your current
default gw is Z.Z.Z.Z and routing table 100 is unused:

ip ru add to X.X.X.X ipproto udp dport YYYY ta 100
ip r a default via Z.Z.Z.Z ta 100

Normaly VPN will add a route like X.X.X.X via Z.Z.Z.Z in your default
routing table, either disable the feature or delete the route.

HTH

With best regards,
b.


On Sun, 2023-10-08 at 08:45 +1100, Ralph Ronnquist wrote:
> On Sun, Oct 08, 2023 at 06:29:36AM +1000, onefang wrote:
> > I'm using OpenVPN on my server, and I'd like to route anything
> > between my
> > desktop and my server through the VPN.
> >
> > At the moment anything going to any other server goes through the
> > VPN,
> > but not stuff directly to the server.
> >
> > Obviously the OpenVPN stuff itself should go direct, want to avoid
> > going
> > around in circles here.
> >
> > Anyone know how to do this?
> >
> > Later I'll be moving to WireGuard, but I got lots of other things
> > need to
> > be done first.  Could this be done with WireGuard as well?
>
> For me, the first approach that springs to mind would be that you run
> the client withing a network namespace so that *its* outbound server
> packets can be marked, and then the rule bending server packets to
> that clent is set to ignore those marked packets.
>
> In that approach, the network namespace would need an input veth and
> an output veth of different nets. All outbound host packets, except
> marked packets, would be routed to the VPN client via the input net,
> and the client would send to the server via the output net with
> marking set to happen through the now routing host.
>
> I don't know of any better way of tagging the VPN outbound traffic
> and
> would be eager to learn if there is one.
>
> Ralph.
>
> >
> > --
> > A big old stinking pile of genius that no one wants
> > coz there are too many silver coated monkeys in the world.
> > _______________________________________________
> > Dng mailing list
> > Dng@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] ..an heads up on OSes, iphones etc on securing your etc privacyRe: [DNG] OpenVPN - routing things TO the OpenVPN server.->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)