Being selective about traffic and interfaces

Being selective about traffic and interfaces

[Richard Bellamy]

Hi

I have just set up an ecrypted connection (with OpenVPN) between my laptop and router currently all traffic goes down the vpn. I would like to allow ssh traffic to bypass the vpn.

The situation is this:

Router:							Laptop:
192.168.0.1 - tun0					192.168.0.2 - tun0
	|							|
10.44.10.1 - eth0					10.44.10.2 - eth0
	|							|
	---------------------------------------------------------

The default route on the laptop is set to 192.168.0.1 so all traffic is automatically sent encrypted. I need to be able to send everything but ssh down the vpn(with the possibility for https later on). I beleive that this would have to happen before routing took place. OpenVPN is on udp/5000.

I would be very grateful for any assistance.

Richard 

Re: Being selective about traffic and interfaces

[/dev/rob0]

On Monday 08 March 2004 09:07, Richard Bellamy wrote:
> I have just set up an ecrypted connection (with OpenVPN) between my
> laptop and router currently all traffic goes down the vpn. I would
> like to allow ssh traffic to bypass the vpn.

FWIW, if what you're seeking is a performance improvement, you would 
probably do better by changing your sshd/ssh client to use something 
faster than the default 3DES encryption. Blowfish (which of course is 
openvpn's default) is a good choice: fast and not known to be weak.

> I would be very grateful for any assistance.

I am pretty sure that what you want can be done with MARK in the mangle 
table and complex routing (iproute2). Unfortunately that's all a bit 
beyond me. I hope the blowfish suggestion is helpful.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Being selective about traffic and interfaces

[Tarek W.]

On Mon, 2004-03-08 at 17:07, Richard Bellamy wrote:
> Hi
> 
> I have just set up an ecrypted connection (with OpenVPN) between my laptop and router currently all traffic goes down the vpn. I would like to allow ssh traffic to bypass the vpn.
> 
> The situation is this:
> 
> Router:							Laptop:
> 192.168.0.1 - tun0					192.168.0.2 - tun0
> 	|							|
> 10.44.10.1 - eth0					10.44.10.2 - eth0
> 	|							|
> 	---------------------------------------------------------
> 
> The default route on the laptop is set to 192.168.0.1 so all traffic is automatically sent encrypted. I need to be able to send everything but ssh down the vpn(with the possibility for https later on). I beleive that this would have to happen before routing took place. OpenVPN is on udp/5000.

on the laptop:

edit /etc/iproute2/rt_tables (or wherever rt_tables is at) and add the
following:

<snip>
50	unencrypted
</snip>

without <snip> and </snip>

then issue the following commands:

<snip>
ip route add dev eth0
ip rule add pref 50 fwmark 2 table unencrypted
</snip>

now iptables comes in to play and glues everything up:

<snip>
iptables -t mangle -I OUTPUT -p tcp --dport 22 -j MARK --set-mark 0x02
iptables -t nat -I POSTROUTING -o dev eth0 -j SNAT --to 192.168.0.2
</snip>

Re: Being selective about traffic and interfaces

[Tarek W.]

On Tue, 2004-03-09 at 13:46, Tarek W. wrote:
> On Mon, 2004-03-08 at 17:07, Richard Bellamy wrote:
> > Hi
> > 
> > I have just set up an ecrypted connection (with OpenVPN) between my laptop and router currently all traffic goes down the vpn. I would like to allow ssh traffic to bypass the vpn.
> > 
> > The situation is this:
> > 
> > Router:							Laptop:
> > 192.168.0.1 - tun0					192.168.0.2 - tun0
> > 	|							|
> > 10.44.10.1 - eth0					10.44.10.2 - eth0
> > 	|							|
> > 	---------------------------------------------------------
> > 
> > The default route on the laptop is set to 192.168.0.1 so all traffic is automatically sent encrypted. I need to be able to send everything but ssh down the vpn(with the possibility for https later on). I beleive that this would have to happen before routing took place. OpenVPN is on udp/5000.
> 
> on the laptop:
> 
> edit /etc/iproute2/rt_tables (or wherever rt_tables is at) and add the
> following:
> 
> <snip>
> 50	unencrypted
> </snip>
> 
> without <snip> and </snip>
> 
> then issue the following commands:
> 
> <snip>
> ip route add dev eth0
> ip rule add pref 50 fwmark 2 table unencrypted
> </snip>

should be:

<snip>
ip route add dev eth0 table unencrypted
ip rule add pref 50 fwmark 2 table unencrypted
</snip>

> 
> now iptables comes in to play and glues everything up:
> 
> <snip>
> iptables -t mangle -I OUTPUT -p tcp --dport 22 -j MARK --set-mark 0x02
> iptables -t nat -I POSTROUTING -o dev eth0 -j SNAT --to 192.168.0.2
> </snip>
> 
> 
> 

Re: Being selective about traffic and interfaces

[Richard Bellamy]

Thanks to all who responded.

Unfortunatley I still cannot get this working.

Does anyone know if the ROUTE target works under 2.6?

Richard

On Mon, Mar 08, 2004 at 03:07:59PM +0000, Richard Bellamy wrote:
> Hi
> 
> I have just set up an ecrypted connection (with OpenVPN) between my laptop and router currently all traffic goes down the vpn. I would like to allow ssh traffic to bypass the vpn.
> 
> The situation is this:
> 
> Router:							Laptop:
> 192.168.0.1 - tun0					192.168.0.2 - tun0
> 	|							|
> 10.44.10.1 - eth0					10.44.10.2 - eth0
> 	|							|
> 	---------------------------------------------------------
> 
> The default route on the laptop is set to 192.168.0.1 so all traffic is automatically sent encrypted. I need to be able to send everything but ssh down the vpn(with the possibility for https later on). I beleive that this would have to happen before routing took place. OpenVPN is on udp/5000.
> 
> I would be very grateful for any assistance.
> 
> Richard 
>