Jump to content
Not connected, Your IP: 18.218.219.11
Sign in to follow this  
Roennie

[Linux] Partial AirVPN usage

Recommended Posts

First and foremost, thank you for your awesome service and ethical view on (digital) privacy. You are the best!

 

Second, I am setting up AirVPN through CLI. Right now, when I connect, it forces all the traffic through AirVPN. Is it possible to have OpenVPN create the tunnel device and not forcing traffic through? The situation I want, is having a select few applications through AirVPN, while the rest uses the normal connection. I know how to get that done with iptables, just not how I can change this default OpenVPN behaviour.

Share this post


Link to post

Just using OpenVPN configuration will not do. See this:

https://airvpn.org/topic/14634-problems-using-air-vpn-as-non-default-route/?do=findComment&comment=29391

On Linux, you need to use source address routing when the VPN is not the default gateway.

Hopefully the programs that you want to use the VPN can be told what IP interface to use. If not, you could look at a LD_PRELOAD shim that can force this. See these links for example:
 
https://daniel-lange.com/archives/53-Binding-applications-to-a-specific-IP.html
http://kernel.embedromix.ro/us/force_bind/
http://www.ryde.net/code/bind.c.txt
https://github.com/meebey/force_bind

===

UPDATE:

In the interest of completeness, the other problem you may have, when you are trying to tell a program to use a specific IP interface, is that every AirVPN server that you connect to will give you a different local private IP address. This is a problem if you want to select a random server at reboot.
 
I have a patch for OpenVPN that allows you to specify the local IP address. See:
 
https://airvpn.org/topic/14314-static-internal-ip/?p=28045
 
Quoting that: "It is fairly easy to build OpenVPN from source for Linux yourself ...".
 
And also: "With the patch applied, I add this line to my configuration files":

ifconfig-nat 10.44.0.2 10.44.0.1

Here is the patch updated for OpenVPN 2.3.10:

diff -ur openvpn-2.3.10_orig/src/openvpn/options.c openvpn-2.3.10_patched/src/openvpn/options.c
--- openvpn-2.3.10_orig/src/openvpn/options.c	2016-01-04 05:17:32.000000000 -0700
+++ openvpn-2.3.10_patched/src/openvpn/options.c	2016-01-30 09:16:06.680244300 -0700
@@ -192,6 +192,13 @@
   "                  addresses outside of the subnets used by either peer.\n"
   "                  TAP: configure device to use IP address l as a local\n"
   "                  endpoint and rn as a subnet mask.\n"
+#ifdef ENABLE_CLIENT_NAT
+  "--ifconfig-nat l r [m]: override --ifconfig parameters pushed from server\n"
+  "                  and use \"client-nat dnat ...\" and \"client-nat snat ...\"\n"
+  "                  commands to map between local and remote addresses.\n"
+  "                  use IP address l as local endpoint and r as a remote endpoint.\n"
+  "                  optionally use m as netmask for client-nat.\n"
+#endif
   "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
   "                      endpoint (as a /64) and r as remote endpoint\n"
   "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
@@ -3870,6 +3877,98 @@
 	    unsigned int *option_types_found,
 	    struct env_set *es);
 
+#ifdef ENABLE_CLIENT_NAT
+const char *ifconfig_nat_local = NULL;
+const char *ifconfig_nat_remote = NULL;
+const char *ifconfig_nat_netmask = NULL;
+static void ifconfig_nat_set(
+    struct options *options,
+    const int msglevel,
+    const char *local,
+    const char *remote,
+    const char *netmask) {
+  if (!ifconfig_nat_local || !ifconfig_nat_remote ) {
+    ifconfig_nat_local = local;
+    ifconfig_nat_remote = remote;
+    ifconfig_nat_netmask = netmask;
+    if (!netmask)
+      msg (M_INFO, "ifconfig-nat: options set: %s %s", local, remote);
+    else
+      msg (M_INFO, "ifconfig-nat: options set: %s %s %s", local, remote, netmask);
+  }
+}
+static void ifconfig_nat_apply (
+    struct options *options,
+    const int msglevel) {
+  if (!(ifconfig_nat_local)) return;
+  if (!(ifconfig_nat_remote)) return;
+  if (!(options->ifconfig_local)) return;
+  if (!(options->ifconfig_remote_netmask)) return;
+  if (options->topology == TOP_SUBNET) {
+    if (!(options->route_default_gateway)) return;
+    cnol_check_alloc (options);
+    msg (M_INFO, "ifconfig-nat: Inserted \"client-nat snat %s 255.255.255.255 %s\"",
+      ifconfig_nat_local, options->ifconfig_local);
+    add_client_nat_to_option_list(options->client_nat,
+      "snat", ifconfig_nat_local, "255.255.255.255", options->ifconfig_local, msglevel);
+    msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s 255.255.255.255 %s\"",
+      ifconfig_nat_remote, options->route_default_gateway);
+    add_client_nat_to_option_list(options->client_nat,
+      "dnat", ifconfig_nat_remote, "255.255.255.255", options->route_default_gateway, msglevel);
+    if (ifconfig_nat_netmask) {
+      msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s %s %s\"",
+        ifconfig_nat_remote, ifconfig_nat_netmask, options->route_default_gateway);
+      add_client_nat_to_option_list(options->client_nat,
+        "dnat", ifconfig_nat_remote, ifconfig_nat_netmask, options->route_default_gateway,
+        msglevel);
+    }
+    else {
+      msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s %s %s\"",
+        ifconfig_nat_remote, options->ifconfig_remote_netmask, options->route_default_gateway);
+      add_client_nat_to_option_list(options->client_nat,
+        "dnat", ifconfig_nat_remote, options->ifconfig_remote_netmask, options->route_default_gateway,
+        msglevel);
+    }
+    if (ifconfig_nat_netmask) {
+      msg (M_INFO, "ifconfig-nat: ifconfig options reset: %s %s",
+        ifconfig_nat_local, ifconfig_nat_netmask);
+      options->ifconfig_local = ifconfig_nat_local;
+      options->ifconfig_remote_netmask = ifconfig_nat_netmask;
+    }
+    else {
+      msg (M_INFO, "ifconfig-nat: ifconfig options reset: %s %s",
+        ifconfig_nat_local, options->ifconfig_remote_netmask);
+      options->ifconfig_local = ifconfig_nat_local;
+    }
+    msg (M_INFO, "ifconfig-nat: route-gateway option reset: %s",
+      ifconfig_nat_remote);
+    options->route_default_gateway = ifconfig_nat_remote;
+  }
+  else if (options->topology == TOP_NET30 || options->topology == TOP_P2P) {
+    cnol_check_alloc (options);
+    msg (M_INFO, "ifconfig-nat: Inserted \"client-nat snat %s 255.255.255.255 %s\"",
+      ifconfig_nat_local, options->ifconfig_local);
+    add_client_nat_to_option_list(options->client_nat,
+      "snat", ifconfig_nat_local, "255.255.255.255", options->ifconfig_local, msglevel);
+    msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s 255.255.255.255 %s\"",
+      ifconfig_nat_remote, options->ifconfig_remote_netmask);
+    add_client_nat_to_option_list(options->client_nat,
+      "dnat", ifconfig_nat_remote, "255.255.255.255", options->ifconfig_remote_netmask, msglevel);
+    if (ifconfig_nat_netmask) {
+      msg (M_INFO, "ifconfig-nat: Inserted \"client-nat dnat %s %s %s\"",
+        ifconfig_nat_remote, ifconfig_nat_netmask, options->ifconfig_remote_netmask);
+      add_client_nat_to_option_list(options->client_nat,
+        "dnat", ifconfig_nat_remote, ifconfig_nat_netmask, options->ifconfig_remote_netmask,
+        msglevel);
+    }
+    msg (M_INFO, "ifconfig-nat: ifconfig options reset: %s %s",
+      ifconfig_nat_local, ifconfig_nat_remote);
+    options->ifconfig_local = ifconfig_nat_local;
+    options->ifconfig_remote_netmask = ifconfig_nat_remote;
+  }
+}
+#endif
+
 static void
 read_config_file (struct options *options,
 		  const char *file,
@@ -3930,6 +4029,9 @@
     }
   CLEAR (line);
   CLEAR (p);
+#ifdef ENABLE_CLIENT_NAT
+  if (level == 1 && !options->pull) ifconfig_nat_apply(options, msglevel);
+#endif
 }
 
 static void
@@ -4041,6 +4143,9 @@
 	  add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
 	}
     }
+#ifdef ENABLE_CLIENT_NAT
+  ifconfig_nat_apply(options, msglevel);
+#endif
   return true;
 }
 
@@ -4308,7 +4413,7 @@
 	  port = atoi (p[2]);
 	  if (!legal_ipv4_port (port))
 	    {
-	      msg (msglevel, "port number associated with --management directive is out of range");
+	      msg (msglevel, "port number associated with --management directive is out of range: %s", p[2]);
 	      goto err;
 	    }
 	}
@@ -4499,6 +4604,24 @@
 	  goto err;
 	}
     }
+#ifdef ENABLE_CLIENT_NAT
+  else if (streq (p[0], "ifconfig-nat") && p[1] && p[2]) {
+    VERIFY_PERMISSION (OPT_P_GENERAL);
+    if (!ip_addr_dotted_quad_safe (p[1])) { /* FQDN -- must be IP address */
+      msg (msglevel, "ifconfig-nat parameter local '%s' must be an IP address", p[1]);
+      goto err;
+    }
+    if (!ip_addr_dotted_quad_safe (p[2])) { /* FQDN -- must be IP address */
+      msg (msglevel, "ifconfig-nat parameter remote '%s' must be an IP address", p[2]);
+      goto err;
+    }
+    if (p[3] && !ip_addr_dotted_quad_safe (p[3])) { /* FQDN -- must be IP address */
+      msg (msglevel, "ifconfig-nat parameter netmask '%s' must be an IP address", p[3]);
+      goto err;
+    }
+    ifconfig_nat_set(options, msglevel, p[1], p[2], p[3]);
+  }
+#endif
   else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] )
     {
       unsigned int netbits;
Only in openvpn-2.3.10_patched/src/openvpn: options.c.orig

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...