Debian – Incoming/Outgoing seperation for VPN

debiandnsnetworkingvpn

My situation is that I want all my outgoing connections from my Debian server to pass through a commercial VPN service I've subscribed to, but I still want to run public-accessible services on this server, and not have them pass through the VPN.

That is, I have BIND9 (authoritative), SMTP, Apache, SSH etc running on this server, and I want incoming connections to be able to reach these services without using the VPN.

To clarify, I only want to use the VPN to hide my outgoing connections, but still be able to answer requests on my real IP for anything that has come in that way.

To make matters even more complicated—I use BIND as both an authoritative server for my domain (on the public internet), and I also have recursion turned on so I can use it as the resolver for my local network (private ip range). Is it possible to VPN the outgoing DNS connections from BIND but still allow incoming requests to reach the authoritative bit?

I gather this has something to do with iproute2, but I can't figure out the correct config.

I'm on Debian 6.0.7. The VPN is OpenVPN.

Best Answer

You should use policy routing to implement this. The rules won't be too complicated.

Your (main) default route should point toward the VPN interface. You'll probably use OpenVPN's --redirect-gateway def1 option to have this managed automatically for you when the VPN comes up. It makes OpenVPN override the system default route with a couple of /1 routes that have the same effect and makes sure OpenVPN itself can still reach its remote peer in the normal way without the obvious routing loop.

This default route will make locally originated traffic go out through the VPN and it will also make replies to traffic that came in through the VPN go out the VPN.

Now you want to override this with a policy rule for packets that are associated with connections that came in on the non-VPN interface. You want to make those packets go back out through the non-VPN interface.

The following should accomplish this by (1) matching packets that have the non-VPN public IP address as a source address and asking those to be routed via a different routing table, (2) in that routing table, sending everything to your original (non-VPN) default route.

ip route add table 42 default via X.Y.Z.W
ip rule add from A.B.C.D/32 table 42

A.B.C.D should be your public (non-VPN) IP address, and X.Y.Z.W should be your original system default route (through your ISP, not through your VPN).

The similar config for IPv6 traffic is left as an exercise for you :-)

Related Solutions

Port Forwarding to VPN Client – How to Port Forward to VPN Client?

You need to do three things on your VPN server (the Linode) to make this work:

You must enable IP forwarding:
```
sysctl -w net.ipv4.ip_forward=1
```
Set up destination NAT (DNAT) to forward the port. You've probably already figured this out because it's standard port forwarding stuff, but for completeness:
```
iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 6000 -j DNAT --to-dest y.y.y.100:6000
```
Set up source NAT (SNAT) so that from your VPN client's perspective, the connection is coming from the VPN server:
```
iptables -t nat -A POSTROUTING -d y.y.y.100 -p tcp --dport 6000 -j SNAT --to-source y.y.y.1
```

The reason you need the SNAT is because otherwise your VPN client will send its return packets straight to the host which initiated the connection (z.z.z.z) via its default gateway (i.e. Verizon 3G), and not via the VPN. Thus the source IP address on the return packets will be your Verizon 3G address, and not x.x.x.x. This causes all sorts of problems, since z.z.z.z really initiated the connection to x.x.x.x.

In most port forwarding setups, the SNAT is not needed because the host performing the port forwarding is also the default gateway for the destination host (e.g. a home router).

Also note that if you want to forward port 6000 to a different port (say 7000), then the SNAT rule should match on 7000, not 6000.

Linux – How to open VPN connection inside other VPN connection under Linux/Ubuntu

As long as the VPN servers do not use the same IPs internally, it should possible - but probably not by using only one wrapper like NetworkManager. You need to start at least one VPN client by hand or by using others tools like kvpnc.

Depending on what you want, you need to be careful with the routes. You need to get sure, that the routes which are set by the second vpn client do not replace the direct access to the first vpn server. You may need to set explicit routing options before you start the second vpn client by calling:

ip route add IP_OF_FIRST_VPN_SERVER dev WAN-INTERFACE
ip route add IP_OF_SECOND_VPN_SERVER dev FIRST-VPN-INTERFACE

(replace the words in capitals by the corresponding values. Your WAN interface is probably eth0 or wlan0, the vpn interface could be e.g. ppp0).

Additionally, the two vpn clients need to use separate interfaces (which should be normally the case).

Best Answer

Related Solutions

Port Forwarding to VPN Client – How to Port Forward to VPN Client?

Linux – How to open VPN connection inside other VPN connection under Linux/Ubuntu

Related Question