[Tutorial] Split-Tunneling via User

[32490ur9ewjfn 5]

deleted

Edited ... by 32490ur9ewjfn
Please move to the right forum....

[OpenSourcerer 1475]

Holy shit, that's genius! I didn't know you could create tables based on a username with ip. So any program started as $VPNUSER will use the tunnel. I have a few remarks, though.

You want to use the most recent version of OpenVPN which is available from build.openvpn.net directly, even for archaic distribution versions (Debian 7, Ubuntu 12.04). I'd suggest to add a few steps to add that repo and install the newest version instead of relying on what the distribution's version is.
 

On 6/20/2019 at 4:27 PM, ucode said:

Add this to the config:

nobind
disable-occ
script-security 2
route-noexec
up /etc/openvpn/iptables.sh
down /etc/openvpn/update-resolv-conf

As a result, disable-occ here is a discouraged option in the OpenVPN 2.4 documentation and should be omitted because it's not needed.
 

On 6/20/2019 at 4:27 PM, ucode said:

Change DNS

nano /etc/openvpn/update-resolv-conf

foreign_option_1='dhcp-option DNS 1.1.1.1'
foreign_option_2='dhcp-option DNS 1.0.0.1'
foreign_option_3='dhcp-option DNS 209.222.18.222'

If NetworkManager is used, setting DNS this way won't work continuously when NetworkManager is used. Eventually, it will simply override whatever you set here, when the DHCP lease runs out at the latest. So if you're using Linux with a desktop environment, create a new profile in your network settings, set IPv4 and IPv6 to DHCP (addresses only) and enter the DNS servers there.
I wouldn't recommend your choice of DNS server, either. First and foremost, AirDNS IPv6 should be used, then its IPv4 (both are found in the specs) and then maybe something like 1.1.1.1 as a fallback if you really need it. The third DNS server in there looked like an OpenDNS server to me and I was about to advise against it because it blocks certain more or less harmful things itself, contradicting AirVPN's mission, but something seemed wrong with it. So I dug deeper and found this post suggesting it was a PrivateInternetAccess DNS server, which also means a PIA user was somehow involved in the creation of this guide. Omit or adjust to AirVPN's needs.
 

On 6/20/2019 at 4:27 PM, ucode said:

Change ifconfig to ip if your OS dont support ifconfig anymore or install it.

apt install net-tools

This shouldn't be used as well. Unmaintained, very obsolete. I'd stick to ip. Gateway address could be pulled by something like

ip r|grep -E "dev tun0.*src"|cut -d " " -f9

Then, the installation of net-tools can be omitted.
 

On 6/20/2019 at 4:27 PM, ucode said:

Add:

net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.XXXXXX.rp_filter = 2

Shouldn't this also be done for IPv6?

Other than that, completely genius! Think about the changes and a mod might just move it to the How-To forum! Well done! ❤️ 

[32490ur9ewjfn 5]

deleted

Edited ... by 32490ur9ewjfn

[OpenSourcerer 1475]

Maybe also scriptically identifying which tunX interface is used by the openvpn process and using that in the ip commands instead of hardcoding tun0.. it's only an idea. Should be possible.
 

$ sudo lsof /dev/net/tun
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
openvpn 2098 root    4u   CHR 10,200     0t52 16675 /dev/net/tun