Setup Split tunneling when using OpenVPN

I recently wrote about configuring OpenVPN with PrivateInternetAcess VPN on my home server. During this process, I noticed that I was not able to SSH into the machine, or reach any of the other services I provide from outside my network, or across my WAN connection. What I discovered was that whenever OpenVPN makes its connection, it become the default gateway for all your outbound connections. This becomes a problem when you need to reach the machine from outside of you networks, as any responses sent by your server will ultimately end up going across the VPN as its gateway.

Luckily, Linux is pretty powerful when it comes to networking! We can setup our own routes, and give it rules to follow. What I did was create a route that will return any packets coming from my WAN back out across my WAN, instead of going to the VPN. The cool thing is that all my other packets outbound will go across the VPN which is what I want them to do for safety. MY Bittorrent traffic still goes out my VPN connection.

I followed the guide here to setup routes: http://lartc.org/howto/lartc.rpdb.multiple-links.html The problem is that whenever you use the ip command to create routes, they do not persist across a reboot! So, I used the commands to quickly create my desired routes, and then test them. After setting it all up, I confirmed it was working like I wanted, so my next step was to keep these routes across reboots. Red Hat and CentOS uses script files to setup and tear down routes when it initializes the network. The thing to keep in mind when you create these scripts is that it essentially just runs the "ip route" command and then appends whatever you put in the script.

First, you need to create your route script. It will need to be housed in the /etc/sysconfig/network-scripts directory and it should start with the name of route-eth0. Below is a snippet of my /etc/sysconfig/network-scripts/route-bond0 file (I am using bonded nics, hence the bond0. If you just have one nic this would be eth0).

192.168.1.0/24 dev bond0 src 192.168.1.2 table novpn

default via 192.168.1.1 table novpn

192.168.1.0/24 dev eth0 src 192.168.1.2

Then you need to create a rules script in the same /etc/sysconfig/network-scripts directory. It's name should being with rule-eth0. Below is a snippet of what I have in my /etc/sysconfig/network-scripts/rule-bond0:

from 192.168.1.2 table novpn

 

In both my examples above, I am using a bonded nic pair which is named bond0. The IP address of my server is 192.168.1.2, and its on the network 192.168.1.0 with a /24. My gateway is at 192.168.1.1.

 

Once you have those two files created you will need to restart your networking, by running the command:

sudo service network restart

Feel free to download the files I have created and modify them to fit your needs. Here is a link to download them: http://www.gigahype.com/wp-content/uploads/2014/01/route_and_rules.tar

sudo wget http://www.gigahype.com/wp-content/uploads/2014/01/route_and_rules.tar

 

That's it! You now have split tunneling that will let all of your server traffic go outbound on your VPN adapter (tun0). Once there is a request coming from your WAN, the server will reply to that request out the normal gateway to your router and ISP.

 

 

 

8 Comments

  • Jan says:

    Great stuff -- wondering if there is a way to do this from a Windows PC as well. I am using PrivateInternetAccess VPN primarily from my Windows 2003 Home Server, and I am also in need of split tunneling -- i.e. not routing all traffic through the VPN gateway, but only specific applications.

  • Paul R says:

    Love both write ups on VPN - I do have a question for the above one. My ISP has me using a dynamic IP which is a pain for my mail server as spamus will not let my mail be delivered. How do I only divert certain ports example ports 25 and 110 via the vpn?

  • John Dhoe says:

    I want to do the same thing with routing my torrent traffic out over a vpn, and keeping the normal traffic through the normal gateway. Right now I have my wifi router set with two ssids, and use vlan tagging to get the two traffic streams to my ubuntu server. One ssid is normal traffic to go through the default gateway, and the other ssid I want to send all traffic through the vpn. The vpn provider uses openvpn. Dnsmasq is serving dhcp to both networks, with separate subnets. I have a few questions:

    1. Is split tunneling what I need?

    2. How do I route the dns requests out to the vpn? How do I get the vpn interface to use the vpn provider dns without completely taking over the main dns server?

    3. Can I use iptabes to segregate the subnets and masquerade all the vpn bound traffic on the vpn interface?

    4. If I were to set up a tunnel with vpn, set no other routes each, then just set the vpn tunnel as the default route for the vpn bound network, then masquerade it, would that work? Do I still need to worry about dns requests if I set the dns server as the vpn interface?

  • i think "sudo yum network restart" should be "sudo service network restart". Care to update this for CentOS7 ? muwahaha

    • CubedRoot says:

      HAH! Good catch! Thanks for the heads up on that. I updated the post with the correct command. I must have yum on the brain πŸ™‚

      I have been tinkering with CentOS 7 a bit, but havent fully moved it into "production" just yet. I still have mixed feelings on it. Once I do get brave enough to move it to production, I will create a blog post for Split tunneling on it.

  • Drewster says:

    Great Post. How do I do this in ubuntu? I grabbed the scripts and modified them but there is no "/etc/sysconfig" folder?

    Thanks,
    Drew

Leave a Reply

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

%d bloggers like this: