| Keith C. Perry on 27 Sep 2014 19:42:55 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] OpenVPN Question |
Welcome to the club !! :) I've been using Linux for my router or security devices for years now. I can't see doing things any other way. Its one of the reasons I'm so excited about ARM devices (i.e. I can reduce physical space and power needs without the loss of functionality). Anyway... I'm not sure you need the route policies if the connections are terminating on the box (you said these were incoming connections). You can "route" the traffic with just rules in the PREROUTING (or INPUT- newer feature I think) chain of NAT table. Also, I'm not sure how these "containers" fit into the equation. Sounds like a docker or VM thing- are you trying to NAT (actually port forward would be the term) traffic to certain "containers" once the OpenVPN connection is established? ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Owner, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com ----- Original Message ----- From: "Rich Freeman" <r-plug@thefreemanclan.net> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> Sent: Saturday, September 27, 2014 10:13:51 PM Subject: Re: [PLUG] OpenVPN Question On Fri, Sep 26, 2014 at 11:56 PM, John Kreno <john.kreno@gmail.com> wrote: > If you are trying to host services on the WAN, you can try doing source > routing, but that will keep that host effectively going over the WAN for all > connections. Maybe there's a way to catch only certain ports and or related > traffic. I'm almost certain that IPtables isn't going to do this > automatically. Even it has to rely on the ip routing table. Ok, I managed to get everything working with the openwrt mwan3 module (which apparently uses connection tracking to match packets up with the right interface). However, I've found that my VPN is CPU-bound running on the router. :) So, now I'm thinking about setting up another host on the network to be my vpn gateway. If I only had outgoing traffic I'd just make the vpn the default gateway for all hosts on the network except the vpn gateway, and make the actual router the gateway for the vpn host (I don't care about non-vpn traffic originating on the vpn host itself). However, I'll still have traffic forwarded from the router to a host on the network, while wanting the bulk of traffic originating from that host to go to the vpn gateway. So, I'm moving my routing problem from the router to my host. The good news is that this host runs a standard distro and doesn't have any iptables rules/etc already on it, which gives me more flexibility. One other detail - the vpn host is going to just be a container bridged to the same ethernet as the host whose packets need special treatment. I don't think this is necessarily an issue, since they're different interfaces as far as the kernel is concerned. The container would have its own routing table and I don't think any host iptables rules would apply to it. It seems like there could be two strategies here. One would be to try to identify incoming connections and then use a routing table for those connections. All incoming connections would come from either the lan (where the default route doesn't matter), or the router (which is where the table would point). The other strategy would be to use the local port - since these are all incoming connections the local port number is going to be something like 22, 25, 80, etc - I could route any connection that has this as the port on the local system to use the table with the router as the default gateway. I'm not going to have outgoing connections from these ports in general, as would be expected (and if I did for some reason I don't really care if it goes out over the router). Anybody have a rule that would work? The closet thing I've found so far is something like this: iptables -A PREROUTING -t mangle -p tcp --dport 22 --set-mark 0x1 -j CONNMARK echo "200 ssh" >> /etc/iproute2/rt_tables ip rule add fwmark 1 table ssh ip route add default dev eth0 via 192.168.1.2 table ssh (from http://unix.stackexchange.com/questions/1194/multigateway-routing-for-specific-src-port ) The only thing I'm not quite sure about is whether that should be source or destination port. I'm not sure if that rule is intended to run when the packets come in, or when they go out. I would just have one table, and then mark connections for each desired port. Why is it that I can't have normal questions? -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug