airvpn-suite How to allow specific IP addresses/ranges through AirVPN Suite network lock?

[Hitotsume 0]

I'm setting up AirVPN's OpenVPN3 Suite on my home headless Arch server over SSH. I've never had a problem with it in prior years (when the server was Debian, which makes a lot of sense considering it probably had some installed program that blocked AirVPN network locking functionality), but recently it's been kicking my ssh session when every activation due to network lock setting up on a different subnet than my LAN (10.x.x.x vs 192.168.x.x). I was further surprised to find that there does not seem to be any native functionality built into goldcrest or bluetit to allow for exceptions to the network lock iptables rules (i.e. allowing a certain IP or subnet in through the filter); all I can seem to find is the ability to toggle the lock between iptables and nftables. My question, then, is just that: is there any way for me to allow certain addresses through my network lock, while keeping it activate for 99% of external traffic? Or, more preferably, allowing my entire 192.168.x.x subnet? 

[Staff 10188]

@Hitotsume

Hello!

Traffic splitting on a destination address basis is not implemented in the Suite and as a consequence exceptions to Network Lock are not available from the options: you would need to add specific rule(s) after the lock has been enforced. However, in your case this is not necessary as Network Lock already allows local networks. Furthermore, the Suite may take care to avoid VPN traffic tunneling into the local network even with WireGuard (default behavior). The behavior can be set through the specific option allowprivatenetwork as you might already know from the manual:

* allowprivatenetwork (yes/no) Control how the local and private network
  traffic can pass through the Network Lock. When disabled, only VPN traffic is
  allowed through the Network Lock. When enabled local and private network traffic,
  as well as VPN traffic, is allowed to pass through the Network Lock. Default: yes

Please note that WireGuard support and configuration of Network Lock behavior for local network are implemented on AirVPN Suite 2.0.0, currently available as Release Candidate 2:
https://airvpn.org/forums/topic/66706-linux-airvpn-suite-200-preview-available/

AirVPN Suite 2.0.0 also implements traffic splitting on an application basis. Although not required in your specific case, since from your description it sounds like you need to connect to sshd only locally, in various scenarios per app traffic splitting may be more useful and/or a valid replacement of traffic splitting on a destination basis. In your case, if you need to have sshd traffic outside the VPN tunnel (i.e. you explicitly want to leak SSH traffic outside the VPN tunnel so that you can reach sshd from the Internet without pointing to AirVPN server addresses and without AirVPN remote port forwarding) it's preferable to just split ssh traffic (read the 2.0.0 user's manual to achieve in a very simple way this purpose if it is necessary).

Kind regards