Application / interface specific routing

macosnetworkingroutingunixvpn

I have a routing configuration whose intention is to route all traffic through a tunnel (utun3) into an openvpn client which then connects to the openvpn server (64.120.44.114) via my physical interface (en0).

What I want to do is route certain applications directly via the physical interface (en0) instead of through the tunnel (utun3). Currently, the routing pair 0/1 and 128.0/1 is forcing all internet traffic through the tunnel.

What I had imagined is that if I were to send traffic to an internet address from an application that binds its outgoing address on the physical interface (ie. 10.0.1.15), then this traffic will route through the remaining default route for that address' interface (en0). Unfortunately, the operating system simply fails to route these packets instead:

$ ping 8.8.8.8          # or mtr 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=40.835 ms

$ ping -b utun3 8.8.8.8 # or mtr -a 10.12.44.16 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=42.036 ms

$ ping -b en0 8.8.8.8   # or mtr -a 10.0.1.15 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host

Is there something I can do to ensure that packets sent with an outgoing address that is incompatible with the overriding route 0/1, 128.0/1 to instead use the compatible default route? If not, is there some other means of configuring the routing table that might serve the purpose of routing through en0 for specific applications but routing through utun3 "by default"? If there is no such method with respect to routing, can you recommend any software solutions for doing application-specific routing or ignoring the routing table? For my case, ideally the software should run on macOS.

I have the following interfaces:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 60:03:08:8b:96:88
    inet6 fe80::1c29:1e13:e8ba:fd3%en0 prefixlen 64 secured scopeid 0x5
    inet 10.0.1.15 netmask 0xffffff00 broadcast 10.0.1.255
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: active
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    inet 10.12.44.16 --> 10.12.44.16 netmask 0xfffffc00

I have the following in my routing table:

default            10.0.1.1           UGSc            0        0     en0
10.0.1.1           0:24:36:a0:86:a5   UHLWIir         4      106     en0
64.120.44.114/32   10.0.1.1           UGSc            1        0     en0

0/1                10.12.44.1         UGSc          101        2   utun3
128.0/1            10.12.44.1         UGSc           12        0   utun3
10.12.44/22        10.12.44.16        UGSc            1        0   utun3
10.12.44.16        10.12.44.16        UH              3      170   utun3

Best Answer

Linux routing is VERY versatile, and there are many ways of doing what you want. But you will rise the complexity of the setup (read: it will get harder to troubleshoot when/if you get a problem)

The easiest way, in my opinion, is by using a rule to implement routing based on source of packets. (Sometimes called policy based routing, by cisco anyway)

Linux supports multiple route tables, and it's easy to add custom tables (read iproute2 manual)

Then, it supports rules to direct "route searching" to different tables based on priority and criteria. Rule criterium can be source address. By default there are 3 tables: local, main and default. You can:

1-create a new table, say "direct"

    echo "100 direct" >> /etc/iproute2/rt_tables

2-add a default route to that table via en0

    ip route add default dev en0 table direct

3-add a new rule with, e.g., priority 1000 to use table direct for traffic originating in 10.0.1.15

    ip rule add from 10.0.1.15 lookup direct

Now, the issue is that MacOS is not linux and I came to know that your issue is in MacOS, which I'm not very versed on. Nevertheless, it seems doable. Current MacOS comes with PF, a firewall ported from OpenBSD aparently at its version 4.5 stage. This firewall is able to modify -at the kernel level- the routing based on rules (on top of doing a lot of other things). You specify this using a route-to keyword in rules. Rules are usually specified in anchors which contain pieces of configuration. PF comes disabled by default, so you will need to enable it too. You could:

1- Create a new anchor config file /etc/pf.anchors/pbr.conf with:

     pass out on utun3 route-to (en0 10.0.1.1) from utun3 to any

that will redirect outgoing traffic through utun3 to en0 if the source was an utun3 address.

2- Add this anchor to the pf config editing /etc/pf.conf and putting

    anchor "pbr.rules"
    load anchor "pbr.rules" from "/etc/pf.anchors/pbr.rules"

3- Enable PF somehow, to do testing you can use pfctl -E and afterwards you can use pfctl -F all -f /etc/pf.conf to reload the configuration if needed.

Look Run command on startup / login (Mac OS X)

Part 1. Output of locally-generated (outbound connection) packages.

Mark outgoing locally generated packages with connection-specific mark for future rerouting with different rt_table.

/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p tcp --dport Y -m owner --uid-owner 100Z -j CONNMARK --set-mark 2
/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p udp --dport Y -m owner --uid-owner 100Z -j CONNMARK --set-mark 2

Translate connection-specific markers to package-specific markers.

/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p tcp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j MARK --set-mark 2
/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p udp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j MARK --set-mark 2

Save marker for further restoring it for all tracked connections. This can be implemented in NAT POSTROUTING table only - it's just a precaution to not loose markers after connection traverse the routing table.

/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p tcp -m owner --uid-owner 100Z -m tcp --dport Y -m connmark ! --mark 0 -j CONNMARK --save-mark
/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p udp -m owner --uid-owner 100Z -m udp --dport Y -m connmark ! --mark 0 -j CONNMARK --save-mark

Normally connection-specific markers should be saved after packages rerouted and reached NAT POSTROUTING table

/sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.XXX -o tun0 -p tcp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j CONNMARK --save-mark
/sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.XXX -o tun0 -p udp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j CONNMARK --save-mark

Replace source with proper VPN-related local address for tun0 interface.

/sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.XXX -o tun0 -p tcp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j SNAT --to-source 10.???.???.???
/sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.XXX -o tun0 -p udp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j SNAT --to-source 10.???.???.???

Part 2. Input of connections related to locally-generated (outbound connection) packages.

Restore connection-related markers for input packets before they go to the routing table.

/sbin/iptables -t mangle -A PREROUTING -i tun0 -p tcp -j CONNMARK --restore-mark
/sbin/iptables -t mangle -A PREROUTING -i tun0 -p udp -j CONNMARK --restore-mark

Part 3. Optional optimization

Other than above rules there is a strong desire in optimizing marking process to prevent or minimize redundant and repeated checks with marking. The most general approach for this task is to distinguish rules between NEW and RELATED,ESTABLISHED connection and use below template for optimal remarking already marked connections: * Restore old markers (you probably won't do this for NEW connections because they are obviously wasn't marked earlier):

/sbin/iptables -A OUTPUT -t mangle -j CONNMARK --restore-mark

Skip already marked connections:

/sbin/iptables -A OUTPUT -t mangle -m mark ! --mark 0 -j ACCEPT

Mark new (usually marking only NEW connection should be enough) connections:

/sbin/iptables -A OUTPUT -m mark --mark 0 -p tcp --dport 21 -t mangle -j MARK --set-mark 1
/sbin/iptables -A OUTPUT -m mark --mark 0 -p tcp --dport 80 -t mangle -j MARK --set-mark 2

Mark other packages with a "dummy" marker (that is not used anywhere else at all):

/sbin/iptables -A OUTPUT -m mark --mark 0 -t mangle -p tcp -j MARK --set-mark 3

Finally save markers:

/sbin/iptables -A OUTPUT -t mangle -j CONNMARK --save-mark

NOTE: the above settings are not a mandatory part of netfilter configuration for split tunnel - it is just a template (i.e. proper suggestion) for the way to minimize redundant filter checks. It also can be POSTROUTING instead of OUTPUT, but only one place is recommended for markings, do not need to implement it twice.

Part 4. Create table aliases in rt_tables.

echo 2 vpn >/etc/iproute2/rt_tables
echo 3 novpn >/etc/iproute2/rt_tables

Part 5. Configuring routing tables for VPN connections.

This is a standard configuration for VPN that allows to redirect all local sources (0.0.0.0/1 and 128.0.0.0/1 subnets include the whole IP range for local addresses) and also provides backward compatibility for returning packages (i.e. the "default" route).

Table with VPN connection

ip route flush table vpn
ip route add 10.???.???.(???+1) dev tun0 src 10.???.???.??? table vpn
ip route add 0.0.0.0/1 dev tun0 via 10.???.???.(???+1) table vpn
ip route add 128.0.0.0/1 dev tun0 via 10.???.???.(???+1) table vpn
ip route add 192.168.0.0/16 src 192.168.XXX.XXX dev eth0 table vpn
ip route add default via 192.168.XXX.1 dev eth0 table vpn

The other table called "novpn". It's goal to provide direct routing bypassing VPN connection.

ip route flush table novpn
ip route add 192.168.0.0/16 src 192.168.XXX.XXX dev eth0 table novpn
ip route add default via 192.168.XXX.1 dev eth0 table novpn

Part 6. Configuring routing rules (it is better to follow rule order below)

ip rule add from all lookup novpn
ip rule add from all fwmark 2 lookup vpn
ip rule add from 10.XXX.XXX.XXX lookup vpn

Part 7. Final steps

Now it is time to flush main routing table (there is no need for it while split tunnel is working):

ip route flush table main

The last step in configuration is to enable IP forwarding and dynamic IP addresses for sockets (client application connections) in Linux kernel:

echo 1 >/proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/ip_dynaddr

Now we can launch OpenVPN client with "--route-noexec" and/or "--ifconfig-noexec" (whether you already know or still not receive push message from VPN server with your tun0 interface configuration) parameters. If there are troubles with tun0 addresses - it is better to not use "--ifconfig-noexec" and let OpenVPN client set tun0 addresses for you. After that you just need to delete some old rules from "ip route" and "/sbin/iptables" and replace them with similar ones containing proper tun0 addresses (refer to all lines with 10.XXX.XXX.XXX or 10.XXX.XXX.(XXX+1) from above).

openvpn --config ./<your_config>.ovpn --route-noexec --ifconfig-noexec --auth-nocache

Those are only rules for outbound connections. The main difference between inbound and outbound configurations: inbound rules should be implemented mostly in "mangle" table, not "nat", and vice-verse for outbound as shown above. There is an exception - for output of both locally-generated (outbound) and answered (inbound connection) packages rules must be placed in "mangle" table due to netfilter architecture implementation (for some reason "nat" table will intercept packages only after the rerouting procedure - consult Wikipedia netfilter graph or netfilter official documentation).

Best Answer

Related Solutions

IPv6 routing problem

Linux – Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04