From ByteWiki

Contents 1 Routing your VPN under Linux 1.1 Name Your Table 1.2 Mark the vpn traffic 1.3 Create a route 1.4 Create a routing rule 1.5 Links

Routing your VPN under Linux

See also VLAN_Routing

VPN links can often cause a chicken & egg problem. Packets for network X are tunnelled to host Y, but host Y is part of network X.

One simple solution is to add a static route for host Y. This however is less secure if you want to access host Y via the VPN. That is, only one service (protocol or port) needs the routing exception, not the entire host.

A solution to this is to combine netfilter (iptables) packet mangling and iproute2 (ip) routing. The linux box which is doing the routing will be called 'the router'.

Before you start, you need to know this information:

• Is the router the source of the vpn traffic or is it forwarding the vpn traffic.
• What is the default gateway and device
• What IP protocol does the vpn traffic use?
• What port number(s) does the vpn traffic use?

Name Your Table

Each routing table has a unique number. You can name the routing tables by editing /etc/iproute2/rt_tables much like you might do to /etc/protocols or /etc/services. Many examples start custom tables at 200 and count upwards (ie. 201, 202 etc).

echo "200 vpn" >> /etc/iproute2/rt_tables 

Mark the vpn traffic

My vpn uses a tcp connection to a specific host & port. In the example commands, the host will be 10.0.50.5 and the port will be port 1234. Some common vpn traffic might be ...? openvpn? ipsec? udp/proto 50?

We will mark with the number 1. If you already use marking then select an unused number.

If your router is generating the vpn traffic (which mine does) use this command:

iptables -A OUTPUT -t mangle -p tcp --destination 10.0.50.5 --dport 1234 -j MARK --set-mark 1 

If your router is forwarding the vpn traffic use this command:

iptables -A PREROUTING -t mangle -p tcp --destination 10.0.50.5 --dport 1234 -j MARK --set-mark 1 

You can find information about which tables are used at http://www.faqs.org/docs/iptables/traversingoftables.html

Check your iptables like this:

iptables -t mangle -L 

Create a route

This will create a route in our vpn routing table for the vpn traffic. You will need to know the default gateway and device to reach the vpn server. In most cases this will be the same as your normal default route.

ip route | grep default 

default via 10.0.40.1 dev eth0

The command the add the new route will be:

/sbin/ip route add default via 10.0.40.1 dev eth0 table vpn 

Check your routing table like this:

ip route ls table vpn 

Create a routing rule

This adds a routing rule so and packes marked 1 (our vpn traffic) will be processed using the vpn routing table and not the default routing table

ip rule add fwmark 1 table vpn 

Check your routing rules like this:

ip rule ls 

Links

• http://lartc.org/howto/
• http://www.faqs.org/docs/iptables/traversingoftables.html
• http://www.policyrouting.org/iproute2.doc.html