There have been similar questions on StackExchange but none of the answers helped me, so I'll try a question of my own.
I have a VPN connection via OpenVPN. By default, all traffic is redirected through the tunnel using OpenVPN's "two more specific routes" trick, but I disabled that. My routing table is like this:
198.144.156.141 192.168.2.1 255.255.255.255 UGH 0 0 0 eth0
10.30.92.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.30.92.1 10.30.92.5 255.255.255.255 UGH 0 0 0 tun1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 10.30.92.5 0.0.0.0 UG 0 0 0 tun1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
And the interface configuration is like this:
# ifconfig
eth0 Link encap:Ethernet HWaddr XX-XX-
inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::211:9ff:fe8d:acbd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:394869 errors:0 dropped:0 overruns:0 frame:0
TX packets:293489 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:388519578 (370.5 MiB) TX bytes:148817487 (141.9 MiB)
Interrupt:20 Base address:0x6f00
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.30.92.6 P-t-P:10.30.92.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:64 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:9885 (9.6 KiB) TX bytes:4380 (4.2 KiB)
plus the lo device.
The routing table has two default routes, one via eth0 through my local network router (DSL modem) at 192.168.2.1, and another via tun1 through the VPN's gateway. With this configuration, if I connect to a site, the route chosen is the direct one (because it has less hops?):
# traceroute 8.8.8.8 -n
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.2.1 0.427 ms 0.491 ms 0.610 ms
2 213.191.89.13 17.981 ms 20.137 ms 22.141 ms
3 62.109.108.48 23.681 ms 25.009 ms 26.401 ms
...
This is fine, because my goal is to send only traffic from specific applications through the tunnel (esp. transmission, using its -i / bind-address-ipv4 option). To test whether this can work at all, I check it first with traceroute's -s option:
# traceroute 8.8.8.8 -n -s 10.30.92.6
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
...
This I take to mean that connection using the tunnel's local address as source is not possible.
What is possible (though only as root) is to specify the source interface:
# traceroute 8.8.8.8 -n -i tun1
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.30.92.1 129.337 ms 297.758 ms 297.725 ms
2 * * *
3 198.144.152.17 297.653 ms 297.652 ms 297.650 ms
...
So apparently the tun1 interface is working and it is possible to send packets through it.
But selecting the source interface is not implemented in my actual target application (transmission), so I would like to get source address selection to work.
What am I doing wrong?
Edit: Based on the answer by DerfK, here's my OpenVPN configuration:
In the .conf- or .ovpn-file, include these commands
# disable automatic route configuration
route-noexec
# enable executing scripts
script-security 2
# script to configure routes
up updown.sh
# script to deconfigure routes
down updown.sh
And the script updown.sh
contains:
#!/bin/bash
case $script_type in
up) echo routes up
# reproduce OpenVPN's standard routes
ip route add $trusted_ip via $route_net_gateway
ip route add $route_network_1 via $route_vpn_gateway
# but put the default route in an extra table
ip route add default via $route_vpn_gateway table 200
# and make sure it is activated by selection of the interface's address
ip rule add from $ifconfig_local/32 table 200
# flush routing cache (but everything seems to work without this, too)
ip route flush cache
;;
down) echo routes down
ip route del $trusted_ip
;;
esac
With this configuration, the traceroute -s
command gives the same output as the traceroute -i
showing the route through the VPN to the target address.
Something I did not explain in my original post: The VPN in question does not provide access to a protected local network, but to the Internet, but from a different location / IP address. Otherwise, adding a default route would not have been necessary in the first place.
Best Answer
What you are looking for is called "Source based routing" and the old
route
program can't manage that. You'll need to useiproute2
and set up an alternate routing table based on source IP address. Using the guide here you'll have something like:I'm not sure if you'll need to remove the route from the regular
route
table before doing this, but it should be OK to leave it (in fact it might be necessary in order to get the kernel to select the right source IP to talk to 10.30.92.5 for apps that don't bind to an IP).