Openvpn – Bypass VPN for HTTP/HTTPS traffic on Ubuntu

httpopenvpnubuntu-14.04vpn

I have an Ubuntu 14.04 machine that all it's outgoing traffic is through a VPN, and I'm required to make sure that HTTP and HTTPS traffic don't go through the VPN.
I've looked into static routing but it seems to handle only layer 3.
How should I approach this setting? Thanks.

Best Answer

In order to route packets destined to specific ports via a different default gateway you need to mark those packets using iptables and then route them via a different route table.

So, first create a new route table with default gateway your local gateway (not your VPN gateway)

ip route add table 4 default via 192.168.0.1

Then mark the packets you need based on the destination ports.

iptables -t mangle -A PREROUTING -p tcp --dport 80  -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 4

Finally route those marked packets via the newly created route table.

ip rule add fwmark 4 table 4

I havent' tested the commands above so they may need a little tweaking.

Related Solutions

Openvpn basic configuration for full traffic routing

I do this on my home Wifi, because I don't trust WEP/WPA. The relevant setting on my OpenVPN server is:

push "route 0.0.0.0 0.0.0.0"

That tells the client "I want you to route all your traffic through me". From there, I can deal with the traffic on the server as I would any other traffic that I need to route.

The only caveat is that you need to remove or deprioritise the default route that the DHCP server might send (if you're using dynamic config); I just have a post-up rule in /e/n/interfaces that deletes the default route that the DHCP server sends, since it's useless anyway, but you could also configure your DHCP server not to send it at all (I used to use dnsmasq, which got shirty if it couldn't send a default route, hence my hack; now I've run away from it, I should probably reconfigure ISC DHCP to do the right thing and not send the default route at all).

Trying to route outgoing http requests through VPN on Ubuntu Server 12.04

What you need is source policy routing to route responses to incoming connections out the EC2 gateway instead of the VPN. Assuming that your instance's internal IP is 1.0.0.20 with default gateway at 1.0.0.1, and VPN IP is 10.8.0.20:

Create named routing tables (only needs to be done once)

echo 10 ec2 >> /etc/iproute2/rt_tables
echo 11 vpn >> /etc/iproute2/rt_tables

Configure the new routing tables with a default route over their respective gateways

ip route add 1.0.0.0/24 dev eth0 table ec2
ip route add default via 1.0.0.1 table ec2
ip route add 10.8.0.0/24 dev tun0 table vpn
ip route add default via 1.0.0.1 table vpn

Add routing rules to select the correct routing table based on the source address
```
ip rule add from 1.0.0.20 lookup ec2
ip rule add from 10.8.0.20 lookup vpn
```

This should allow you to set the default gateway to be the VPN and still have incoming connections work.

What you could do instead however, is configure your application to explicitly bind to the VPN IP (10.8.0.20) when creating outgoing connections, which will cause all connections from that application to go over the VPN, but all other outgoing connections go out directly. If you can't configure your application to bind to the VPN IP, you could add an HTTP proxy server to do this part.

Best Answer

Related Solutions

Openvpn basic configuration for full traffic routing

Trying to route outgoing http requests through VPN on Ubuntu Server 12.04

Related Topic