Jump to content
Not connected, Your IP: 3.144.104.118
Sign in to follow this  
Eemu

Running OpenVPN on non default gateway and route all traffic through the tunnel

Recommended Posts

Hello,

 

My router is too slow to run OpenVPN in a decent way. My idea was to use another computer as OpenVPN-gateway. The setup looks like this with the router running DD-WRT and OpenVPN server running Ubuntu:

 

qADacl7.png

 

I have a few questions:

  1. First an understanding question: Do I expose my computer / lan to the AirVPN server? In other words is it possible for the "other site" (AirVPN servers) to access e.g. my samba shares after opening a tunnel from 192.168.0.10?
  2. Follow up: if so, how can I prevent that?
  3. Is it possible that all (internet-) traffic gets routed through OpenVPN and that clients get configured automatically in the above setup? How?
  4. How would I create an exception for a host / service so that its traffic is routed directly to the internet?

Sorry for all the questions, that's my first time using OpenVPN and thanks in advance,

eemu

Share this post


Link to post

Hello Eemu.

 

I'm only a user of Air, so if you hear differently from Staff, you should definitely trust them over me. That said, my understanding is as follows:

 

 

1. Yes - in principle you are exposing at least one machine to the rest of Air's internal network. You are tunneling through your router, so it is as if you have a direct connection between the Air server you connect to and the machine you are running the client on. Having this exposure / direct connection is, of course, what makes it possible to have ports open to the rest of the world ("Forwarded ports" in the Client Area).

 

However, in practice that does not necessarily mean Air can access things on your local network if you can configure things so that local services ignore traffic that comes in over the tunnel.

 

2. Depends on your operating system and what services you are running. I'm not that familiar with Ubuntu unfortunately, but basically you can set up firewall rules to block incoming traffic and/or tell all services to not listen on tun0.

 

3. I'm not a networking guru, but I believe you can just set up your OpenVPN gateway machine to route traffic for the rest of the network like one would "normally" do (i.e. follow whatever documentation is relevant for setting it up as a router) and the rest should just work. I could be wrong. You probably have to turn off DHCP on the external router (192.168.0.1) too, to prevent clients from using it instead.

 

4. This sounds like tricky network voodoo and I'll leave that to someone else.

 

However, one special case where things are relatively easy is web browsing - if you can set up a HTTP proxy on the external router you should be able to tell a web browser to use that and bypass the VPN tunnel.

 

Or conversely, if you set up a HTTP proxy on the VPN machine you can use it to forward HTTP traffic through the tunnel without having to do any configuration of routing. (I've done this.)

 

 

Phew. Hope you find something of value in that wall of text. I'm going to take a break now. :-)

Share this post


Link to post

Hi Eemu,

 

For 1 and 2, you can use the built in DD-WRT firewall. A simple rule that will specify that any incoming traffic on the tun0 interface should be dropped will be enough.

You might want to add port forwarding rules, if you use any, above that rule.

 

For 3, your diagram is a little confusing, what you probably need more is a network separation of 2 subnets, like 192.168.0.0/24 to pass via OpenVPN, and 192.168.10.0/24 to pass via default gateway of DD-WRT.

I won't go into how you provision which client should be on which subnet, you should probably know better, and DD-WRT has many wiki pages about it in case you get lost. The most important part is below.

 

4. What you need next is policy based routing. Generally it means that you tell the router to send clients via different gateways, depending on their source and/or destination.

 

http://www.dd-wrt.com/wiki/index.php/Policy_Based_Routing#With_OpenVPN

 

So again, if you follow that example and adjust it based on your needs, you will have something like

 

ip rule add from 192.168.10.0/24 table 200
ip route add 192.168.10.0/24 via default dev eth0.2 table 200

 

Hope that helps.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...