User:Ctag/Openvpn

From ArchWiki
Jump to navigation Jump to search

My configuration notes for openvpn.

iptables killswitch

Based on user

Pick a user to be confined to the openvpn tun device.

Modify <user> and <tun> to suite.
# iptables -A OUTPUT ! -o <tun> -m owner --gid-owner <user> -j REJECT --reject-with icmp-port-unreachable

Should create:

# iptables -nvL
0  0 REJECT     all  --  *      !tun0   0.0.0.0/0            0.0.0.0/0            owner GID match 111 reject-with icmp-port-unreachable

Don't forget to save the iptables config for persistence across reboots.

Based on cgroup

???

passthrough

Based on user

So, this is a little convoluted. Openvpn in my configuration is set to trap all network traffic, and send it over the tun device.

Create a routing table

# echo 11 novpn >> /etc/iproute2/rt_tables

Configure static route

That routing table will persist across reboots, but it's configuration won't. There's got to be a smarter way to do this, but I wound up making a custom systemd service based on the forum post in the reference section.

# cat /etc/systemd/system/iproute2@.service
[Unit]
Description=iproute2 (%i)
Wants=network-online.target
After=openvpn.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/ip -b /etc/conf.d/iproute2/%i/start ; /usr/bin/sysctl -w net.ipv4.conf.eth0.rp_filter=2
ExecStop=/usr/bin/ip -b /etc/conf.d/iproute2/%i/stop ; /usr/bin/sysctl -w net.ipv4.conf.eth0.rp_filter=1

[Install]
WantedBy=network.target
# cat /etc/conf.d/iproute2/eth0/start
route add default via 192.168.1.1 table 11
rule add fwmark 0xa table 11
# cat /etc/conf.d/iproute2/eth0/stop
route del default via 192.168.1.1 table 11
rule del fwmark 0xa table 11

Set up iptables

Replace <user> and <mk>
# iptables -t mangle -A OUTPUT -m owner --uid-owner <user> -j MARK --set-mark <mk>

That should do it. Any application owned by this user will now operate on the regular device instead of over the openvpn tunnel.

Reference

http://unix.stackexchange.com/questions/110716/how-to-understand-the-routing-table-on-an-openvpn-client # General information about how openvpn overrides the default route.

https://jamielinux.com/blog/bypass-openvpn-for-a-specific-unix-user/ # Resource on configuring iptables

https://bbs.archlinux.org/viewtopic.php?id=187138 # Discussion for iproute2@.service

Based on cgroup

???

Reference

http://serverfault.com/questions/669430/how-to-bypass-openvpn-per-application