0

I have a computer with two eth interfaces and one wlan interface. It is also connected to a VPN (openvpn), so it has a tun0 interface too. Now, I'd like to make sure that all VPN traffic is sent using the wlan interface, and not over ethernet. By default, it gets sent over eth1, as far as I can see from running iftop. My routing table is below.

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         Teltonika.lan   0.0.0.0         UG    100    0        0 eth1
default         192.168.222.1   0.0.0.0         UG    600    0        0 wlan0
link-local      *               255.255.0.0     U     1000   0        0 eth0
172.89.0.0      *               255.255.255.0   U     0      0        0 tun0
192.0.2.1       192.168.222.1   255.255.255.255 UGH   600    0        0 wlan0
192.168.0.0     *               255.255.0.0     U     100    0        0 eth1
192.168.3.0     *               255.255.255.0   U     100    0        0 eth0
192.168.222.0   *               255.255.255.0   U     600    0        0 wlan0
Supernormal
  • 131
  • Which VPN client do you use (openvpn / openconnect / cisco / ...)? – Thomas May 31 '19 at 11:27
  • It's openvpn. (I've edited the question with this information now.) – Supernormal May 31 '19 at 13:30
  • The output from the route command looks like you are on a Linux system, correct ? – LL3 May 31 '19 at 13:41
  • Correct: Kubuntu 16.04. – Supernormal May 31 '19 at 13:44
  • what do you mean when you say VPN traffic ? just to 172.89.0.0/24 network ? – Rabin May 31 '19 at 13:54
  • Diverse variations of this questions get asked regularly. TL;DR: If you distinguish traffic by known (numerical) destination IP addresses, you can route (by adding routing rules). If you don't distinguish by destination address, but e.g. by applications, the simplest way is to use network namespaces and run applications that should behave differently in different namespaces. – dirkt May 31 '19 at 16:47

1 Answers1

1

On Linux you can adjust the routing rules using ip rule and ip route commands. The latter one is a more advanced equivalent for the route command.

In your case you might obtain the desired behavior by having a separate routing table where the default gateway on wlan0 interface is the only (or anyway preferred) default gateway present, and then set a routing rule stating that all traffic coming from the tun0 interface is to use this separate routing table.

That is obtainable for example through the following two commands:

ip route add default via 192.168.222.1 table 100  # <-- 100 is an arbitrary number for the separate routing table
ip rule add iif tun0 table 100

while to clear them up, use:

ip rule del iif tun0 table 100
ip route flush table 100

You can test the commands live, after establishing the VPN, and see that everything works as intended.

Then you might want to have those commands (or their best equivalent for your overall setup) executed by openvpn when needed. To do so the simplest way is to put those commands in two scripts (respectively), and then call them via OpenVPN's route-up and route-pre-down hooks.

Depending on how you actually use OpenVPN, you need to either run openvpn specifying --route-up script-that-adjusts-routing.sh and --route-pre-down script-that-undoes-routing.sh (and possibly also --script-security 2) from the command line, or add these configurations in the OpenVPN .conf file of your tunnel.

If you already have route-up and route-pre-down scripts, then you need to add the adjusting commands to your pre-existing scripts instead, and this may require additional care depending on what these scripts do.

LL3
  • 5,418
  • This was actually the solution I was looking for, the others too complicated and just didn't work. I tried reply on same network from here: https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming/23345#23345 but this answer was the solution. – Kevin Parker Mar 25 '20 at 04:11