User:Ctag/Openvpn
My configuration notes for openvpn.
iptables killswitch
Based on user
Pick a user to be confined to the openvpn tun device.
Modify <user> and <tun> to suite.
# iptables -A OUTPUT ! -o <tun> -m owner --gid-owner <user> -j REJECT --reject-with icmp-port-unreachable
Should create:
# iptables -nvL
0 0 REJECT all -- * !tun0 0.0.0.0/0 0.0.0.0/0 owner GID match 111 reject-with icmp-port-unreachable
Don't forget to save the iptables config for persistence across reboots.
Based on cgroup
???
passthrough
Based on user
So, this is a little convoluted. Openvpn in my configuration is set to trap all network traffic, and send it over the tun device.
Create a routing table
# echo 11 novpn >> /etc/iproute2/rt_tables
Configure static route
That routing table will persist across reboots, but it's configuration won't. There's got to be a smarter way to do this, but I wound up making a custom systemd service based on the forum post in the reference section.
# cat /etc/systemd/system/iproute2@.service
[Unit] Description=iproute2 (%i) Wants=network-online.target After=openvpn.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/ip -b /etc/conf.d/iproute2/%i/start ; /usr/bin/sysctl -w net.ipv4.conf.eth0.rp_filter=2 ExecStop=/usr/bin/ip -b /etc/conf.d/iproute2/%i/stop ; /usr/bin/sysctl -w net.ipv4.conf.eth0.rp_filter=1 [Install] WantedBy=network.target
# cat /etc/conf.d/iproute2/eth0/start
route add default via 192.168.1.1 table 11 rule add fwmark 0xa table 11
# cat /etc/conf.d/iproute2/eth0/stop
route del default via 192.168.1.1 table 11 rule del fwmark 0xa table 11
Set up iptables
Replace <user> and <mk>
# iptables -t mangle -A OUTPUT -m owner --uid-owner <user> -j MARK --set-mark <mk>
That should do it. Any application owned by this user will now operate on the regular device instead of over the openvpn tunnel.
Reference
http://unix.stackexchange.com/questions/110716/how-to-understand-the-routing-table-on-an-openvpn-client # General information about how openvpn overrides the default route.
https://jamielinux.com/blog/bypass-openvpn-for-a-specific-unix-user/ # Resource on configuring iptables
https://bbs.archlinux.org/viewtopic.php?id=187138 # Discussion for iproute2@.service
Based on cgroup
???
Reference
http://serverfault.com/questions/669430/how-to-bypass-openvpn-per-application