I am currently running a system in which I need to be able to send and recieve HTTP and HTTPS traffic directly, however all other traffic must go via a VPN.
My setup is :
x2 interfaces : eth0 (local network, behind a router) and tun0 (openvpn client)
Currently all traffic is routed through my vpn, i was wondering if it were possible to not route http and https traffic (80, 443) through the VPN.
Here is the routing table when the system and openvpn client have started :
0.0.0.0/1 via 10.8.13.5 dev tun0
default via 192.168.1.1 dev eth0
10.8.13.1 via 10.8.13.5 dev tun0
10.8.13.5 dev tun0 proto kernel scope link src 10.8.13.6
128.0.0.0/1 via 10.8.13.5 dev tun0
176.67.168.144 via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.56
192.168.1.1 dev eth0 scope link
I have read through other similar questions however either the answers don't reroute the traffic or just block it.
Thanks in advance ๐
Best Answer
Routing is at IP layer 3. TCP is at layer 4, so routing alone isn't enough to deal with this.
In short: the interesting traffic has to be tagged with
iptables
, and tagged packets selected withip rule
'sfwmark
to use a separate routing table. Then two more fixes have to be applied for the locally initiated/receiving traffic case, which is more difficult than the routed case. All the settings are of course done on the local system.Routing table
80
(a matching symbolic name can be added in/etc/iproute2/rt_tables
but that's not mandatory) and mark0x80
were "arbitrarily" chosen.Using
-I
to ensure that the iptables rules aren't appended too late. You should check with your current rules how to reorder that if needed:This blog: Netfilter Connmark ยป To Linux and beyond ! gives good informations on
CONNMARK
.This should have been working, but actually the wrong default outgoing IP will have been selected at the first routing decision, because the route was about to be through
tun0
. At the reroute check made because of themangle/OUTPUT
's mark (see this Packet flow in Netfilter and General Networking schematic for clarification), this IP won't change. If the traffic handled was routed instead of being locally initiated, this problem wouldn't happen (using a separate net namespace to ensure this is a solution for services, probably not for a Desktop). So this requires also a layer ofMASQUERADE
(orSNAT
for more complex cases) on top of it:Now that the outgoing source IP is correct, it's still not working: the reverse path filter triggers in the return path for about the same reason: the routing decision made before
PREROUTING
doesn't know thefwmark
for now (despite the previous schematic placingmangle/PREROUTING
before the routing decision, that's apparently not the case), thus considers the return traffic packets to be spoofed and drops them early. Theeth0
interface'srp_filter
has to be put in loose mode for this to be allowed. This might have some (very minor behind NAT) security issues but I found it unavoidable for this non-routed case:You'll have to find how to set it permanently (eg
echo net.ipv4.conf.eth0.rp_filter=2 > /etc/sysctl.d/90-local-loose-mode.conf
if nothing else alters it later).Tested ok using namespaces with similar settings to OP's.
NOTE: DNS requests will still go through the tunnel. Some geolocalized web services might not work as expected.