Keith C. Perry on 27 Sep 2014 19:42:55 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OpenVPN Question

Welcome to the club !! :)  I've been using Linux for my router or security devices for years now.  I can't see doing things any other way.  Its one of the reasons I'm so excited about ARM devices (i.e. I can reduce physical space and power needs without the loss of functionality).


I'm not sure you need the route policies if the connections are terminating on the box (you said these were incoming connections).  You can "route" the traffic with just rules in the PREROUTING (or INPUT- newer feature I think) chain of NAT table.

Also, I'm not sure how these "containers" fit into the equation.  Sounds like a docker or VM thing- are you trying to NAT (actually port forward would be the term) traffic to certain "containers" once the OpenVPN connection is established?

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Owner, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167

----- Original Message -----
From: "Rich Freeman" <>
To: "Philadelphia Linux User's Group Discussion List" <>
Sent: Saturday, September 27, 2014 10:13:51 PM
Subject: Re: [PLUG] OpenVPN Question

On Fri, Sep 26, 2014 at 11:56 PM, John Kreno <> wrote:
> If you are trying to host services on the WAN, you can try doing source
> routing, but that will keep that host effectively going over the WAN for all
> connections. Maybe there's a way to catch only certain ports and or related
> traffic. I'm almost certain that IPtables isn't going to do this
> automatically. Even it has to rely on the ip routing table.

Ok, I managed to get everything working with the openwrt mwan3 module
(which apparently uses connection tracking to match packets up with
the right interface).

However, I've found that my VPN is CPU-bound running on the router.  :)

So, now I'm thinking about setting up another host on the network to
be my vpn gateway.

If I only had outgoing traffic I'd just make the vpn the default
gateway for all hosts on the network except the vpn gateway, and make
the actual router the gateway for the vpn host (I don't care about
non-vpn traffic originating on the vpn host itself).

However, I'll still have traffic forwarded from the router to a host
on the network, while wanting the bulk of traffic originating from
that host to go to the vpn gateway.

So, I'm moving my routing problem from the router to my host.  The
good news is that this host runs a standard distro and doesn't have
any iptables rules/etc already on it, which gives me more flexibility.

One other detail - the vpn host is going to just be a container
bridged to the same ethernet as the host whose packets need special
treatment.  I don't think this is necessarily an issue, since they're
different interfaces as far as the kernel is concerned.  The container
would have its own routing table and I don't think any host iptables
rules would apply to it.

It seems like there could be two strategies here.  One would be to try
to identify incoming connections and then use a routing table for
those connections.  All incoming connections would come from either
the lan (where the default route doesn't matter), or the router (which
is where the table would point).

The other strategy would be to use the local port - since these are
all incoming connections the local port number is going to be
something like 22, 25, 80, etc - I could route any connection that has
this as the port on the local system to use the table with the router
as the default gateway.  I'm not going to have outgoing connections
from these ports in general, as would be expected (and if I did for
some reason I don't really care if it goes out over the router).

Anybody have a rule that would work?  The closet thing I've found so
far is something like this:
iptables -A PREROUTING -t mangle -p tcp --dport 22 --set-mark 0x1 -j CONNMARK
echo "200 ssh" >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table ssh
ip route add default dev eth0 via table ssh


The only thing I'm not quite sure about is whether that should be
source or destination port.  I'm not sure if that rule is intended to
run when the packets come in, or when they go out.  I would just have
one table, and then mark connections for each desired port.

Why is it that I can't have normal questions?

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --