[Linux] Partial AirVPN usage

Roennie

First and foremost, thank you for your awesome service and ethical view on (digital) privacy. You are the best!

Second, I am setting up AirVPN through CLI. Right now, when I connect, it forces all the traffic through AirVPN. Is it possible to have OpenVPN create the tunnel device and not forcing traffic through? The situation I want, is having a select few applications through AirVPN, while the rest uses the normal connection. I know how to get that done with iptables, just not how I can change this default OpenVPN behaviour.

zhang888

Try this document, it describes multiple setups of what you are trying to do:

https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

NaDre

Just using OpenVPN configuration will not do. See this:

https://airvpn.org/topic/14634-problems-using-air-vpn-as-non-default-route/?do=findComment&comment=29391

On Linux, you need to use source address routing when the VPN is not the default gateway.

Hopefully the programs that you want to use the VPN can be told what IP interface to use. If not, you could look at a LD_PRELOAD shim that can force this. See these links for example:

https://daniel-lange.com/archives/53-Binding-applications-to-a-specific-IP.html
http://kernel.embedromix.ro/us/force_bind/
http://www.ryde.net/code/bind.c.txt
https://github.com/meebey/force_bind

===

UPDATE:

In the interest of completeness, the other problem you may have, when you are trying to tell a program to use a specific IP interface, is that every AirVPN server that you connect to will give you a different local private IP address. This is a problem if you want to select a random server at reboot.

I have a patch for OpenVPN that allows you to specify the local IP address. See:

https://airvpn.org/topic/14314-static-internal-ip/?p=28045

Quoting that: "It is fairly easy to build OpenVPN from source for Linux yourself ...".

And also: "With the patch applied, I add this line to my configuration files":

ifconfig-nat 10.44.0.2 10.44.0.1

Here is the patch updated for OpenVPN 2.3.10:

diff -ur openvpn-2.3.10_orig/src/openvpn/options.c openvpn-2.3.10_patched/src/openvpn/options.c
--- openvpn-2.3.10_orig/src/openvpn/options.c	2016-01-04 05:17:32.000000000 -0700
+++ openvpn-2.3.10_patched/src/openvpn/options.c	2016-01-30 09:16:06.680244300 -0700
@@ -192,6 +192,13 @@
   "                  addresses outside of the subnets used by either peer.\n"
   "                  TAP: configure device to use IP address l as a local\n"
   "                  endpoint and rn as a subnet mask.\n"
+#ifdef ENABLE_CLIENT_NAT
+  "--ifconfig-nat l r [m]: override --ifconfig parameters pushed from server\n"
+  "                  and use \"client-nat dnat ...\" and \"client-nat snat ...\"\n"
+  "                  commands to map between local and remote addresses.\n"
+  "                  use IP address l as local endpoint and r as a remote endpoint.\n"
+  "                  optionally use m as netmask for client-nat.\n"
+#endif
   "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
   "                      endpoint (as a /64) and r as remote endpoint\n"
   "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
@@ -3870,6 +3877,98 @@
 	    unsigned int *option_types_found,
 	    struct env_set *es);
 
+#ifdef ENABLE_CLIENT_NAT
+const char *ifconfig_nat_local = NULL;
+const char *ifconfig_nat_remote = NULL;
+const char *ifconfig_nat_netmask = NULL;
+static void ifconfig_nat_set(
+    struct options *options,
+    const int msglevel,
+    const char *local,
+    const char *remote,
+    const char *netmask) {
+  if (!ifconfig_nat_local || !ifconfig_nat_remote ) {
+    ifconfig_nat_local = local;
+    ifconfig_nat_remote = remote;
+    ifconfig_nat_netmask = netmask;
+    if (!netmask)
+      msg (M_INFO, "ifconfig-nat: options set: %s %s", local, remote);
+    else
+      msg (M_INFO, "ifconfig-nat: options set: %s %s %s", local, remote, netmask);
+  }
+}
+static void ifconfig_nat_apply (
+    struct options *options,
+    const int msglevel) {
+  if (!(ifconfig_nat_local)) return;
+  if (!(ifconfig_nat_remote)) return;
+  if (!(options->ifconfig_local)) return;
+  if (!(options->ifconfig_remote_netmask)) return;
+  if (options->topology == TOP_SUBNET) {
+    if (!(options->route_default_gateway)) return;
+    cnol_check_alloc (options);
+    msg (M_INFO, "ifconfig-nat: Inserted \"client-nat snat %s 255.255.255.255 %s\"",
+      ifconfig_nat_local, options->ifconfig_local);
+    add_client_nat_to_option_list(options->client_nat,
+      "snat", ifconfig_nat_local, "255.255.255.255", options->ifconfig_local, msglevel);
+    msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s 255.255.255.255 %s\"",
+      ifconfig_nat_remote, options->route_default_gateway);
+    add_client_nat_to_option_list(options->client_nat,
+      "dnat", ifconfig_nat_remote, "255.255.255.255", options->route_default_gateway, msglevel);
+    if (ifconfig_nat_netmask) {
+      msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s %s %s\"",
+        ifconfig_nat_remote, ifconfig_nat_netmask, options->route_default_gateway);
+      add_client_nat_to_option_list(options->client_nat,
+        "dnat", ifconfig_nat_remote, ifconfig_nat_netmask, options->route_default_gateway,
+        msglevel);
+    }
+    else {
+      msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s %s %s\"",
+        ifconfig_nat_remote, options->ifconfig_remote_netmask, options->route_default_gateway);
+      add_client_nat_to_option_list(options->client_nat,
+        "dnat", ifconfig_nat_remote, options->ifconfig_remote_netmask, options->route_default_gateway,
+        msglevel);
+    }
+    if (ifconfig_nat_netmask) {
+      msg (M_INFO, "ifconfig-nat: ifconfig options reset: %s %s",
+        ifconfig_nat_local, ifconfig_nat_netmask);
+      options->ifconfig_local = ifconfig_nat_local;
+      options->ifconfig_remote_netmask = ifconfig_nat_netmask;
+    }
+    else {
+      msg (M_INFO, "ifconfig-nat: ifconfig options reset: %s %s",
+        ifconfig_nat_local, options->ifconfig_remote_netmask);
+      options->ifconfig_local = ifconfig_nat_local;
+    }
+    msg (M_INFO, "ifconfig-nat: route-gateway option reset: %s",
+      ifconfig_nat_remote);
+    options->route_default_gateway = ifconfig_nat_remote;
+  }
+  else if (options->topology == TOP_NET30 || options->topology == TOP_P2P) {
+    cnol_check_alloc (options);
+    msg (M_INFO, "ifconfig-nat: Inserted \"client-nat snat %s 255.255.255.255 %s\"",
+      ifconfig_nat_local, options->ifconfig_local);
+    add_client_nat_to_option_list(options->client_nat,
+      "snat", ifconfig_nat_local, "255.255.255.255", options->ifconfig_local, msglevel);
+    msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s 255.255.255.255 %s\"",
+      ifconfig_nat_remote, options->ifconfig_remote_netmask);
+    add_client_nat_to_option_list(options->client_nat,
+      "dnat", ifconfig_nat_remote, "255.255.255.255", options->ifconfig_remote_netmask, msglevel);
+    if (ifconfig_nat_netmask) {
+      msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s %s %s\"",
+        ifconfig_nat_remote, ifconfig_nat_netmask, options->ifconfig_remote_netmask);
+      add_client_nat_to_option_list(options->client_nat,
+        "dnat", ifconfig_nat_remote, ifconfig_nat_netmask, options->ifconfig_remote_netmask,
+        msglevel);
+    }
+    msg (M_INFO, "ifconfig-nat: ifconfig options reset: %s %s",
+      ifconfig_nat_local, ifconfig_nat_remote);
+    options->ifconfig_local = ifconfig_nat_local;
+    options->ifconfig_remote_netmask = ifconfig_nat_remote;
+  }
+}
+#endif
+
 static void
 read_config_file (struct options *options,
 		  const char *file,
@@ -3930,6 +4029,9 @@
     }
   CLEAR (line);
   CLEAR (p);
+#ifdef ENABLE_CLIENT_NAT
+  if (level == 1 && !options->pull) ifconfig_nat_apply(options, msglevel);
+#endif
 }
 
 static void
@@ -4041,6 +4143,9 @@
 	  add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
 	}
     }
+#ifdef ENABLE_CLIENT_NAT
+  ifconfig_nat_apply(options, msglevel);
+#endif
   return true;
 }
 
@@ -4308,7 +4413,7 @@
 	  port = atoi (p[2]);
 	  if (!legal_ipv4_port (port))
 	    {
-	      msg (msglevel, "port number associated with --management directive is out of range");
+	      msg (msglevel, "port number associated with --management directive is out of range: %s", p[2]);
 	      goto err;
 	    }
 	}
@@ -4499,6 +4604,24 @@
 	  goto err;
 	}
     }
+#ifdef ENABLE_CLIENT_NAT
+  else if (streq (p[0], "ifconfig-nat") && p[1] && p[2]) {
+    VERIFY_PERMISSION (OPT_P_GENERAL);
+    if (!ip_addr_dotted_quad_safe (p[1])) { /* FQDN -- must be IP address */
+      msg (msglevel, "ifconfig-nat parameter local '%s' must be an IP address", p[1]);
+      goto err;
+    }
+    if (!ip_addr_dotted_quad_safe (p[2])) { /* FQDN -- must be IP address */
+      msg (msglevel, "ifconfig-nat parameter remote '%s' must be an IP address", p[2]);
+      goto err;
+    }
+    if (p[3] && !ip_addr_dotted_quad_safe (p[3])) { /* FQDN -- must be IP address */
+      msg (msglevel, "ifconfig-nat parameter netmask '%s' must be an IP address", p[3]);
+      goto err;
+    }
+    ifconfig_nat_set(options, msglevel, p[1], p[2], p[3]);
+  }
+#endif
   else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] )
     {
       unsigned int netbits;
Only in openvpn-2.3.10_patched/src/openvpn: options.c.orig

Sign In

[Linux] Partial AirVPN usage

Recommended Posts

Roennie 0

Share this post

Link to post

zhang888 1066

Share this post

Link to post

NaDre 157

Share this post

Link to post

Join the conversation

Home

Community