Making a server behind a VPN client remain reachableReply on the same interface as incoming with DNATed IPRoute certain domains through different interfacesSetting up a server that routes local traffic through vpn, while still being able to access internet directlyCan I assign a virtual interface (VPN) to a 'real' interface / NIC of my choice?Linux tun interface packet routingDouble VPN (OpenVPN)connect to 3rd party VPN server but don't use it as the default route?Mikrotik with vpn client doesn't route mangled packets wellHow to connect 3 Openvpn Ubuntu ServersVPN Router does not reply to ARP RequestsDouble VPN client->server->client
What's the safest way to inform a new user of their password on my web site?
How do I reference other list in calculated column?
One folder two different locations on ubuntu 18.04
What is the consensus on handling pagination in 2019 on big result sets?
Quacks of Quedlingburg Crow Skull Set 2 Keep Drawing
Can a single server be associated with multiple domains?
Why won't the ground take my seed?
Why is Madam Hooch not a professor?
What could a reptilian race tell by candling their eggs?
Why transcripts instead of degree certificates?
Zombie diet, why humans?
Most possible movement by the losing side in a zugzwang position
How do accents of a whole town drift?
I am having a problem understanding the different behavior of $("button").click() and $("button")[0].click()
User command to reload file-local variables
How to start learning the piano again
For people who believe in Jesus and not the devil, what happened in the desert?
Getting geometries of hurricane's 'cone of uncertainty' using shapely?
What are good ways to spray paint a QR code on a footpath?
Should the Torah be covered or uncovered during the Aliyah blessings?
What does Mildred mean by this line in Three Billboards Outside Ebbing, Missouri?
Fluently Validation of Objects
What is the olden name for sideburns?
Why are 120V general receptacle circuits limited to 20A?
Making a server behind a VPN client remain reachable
Reply on the same interface as incoming with DNATed IPRoute certain domains through different interfacesSetting up a server that routes local traffic through vpn, while still being able to access internet directlyCan I assign a virtual interface (VPN) to a 'real' interface / NIC of my choice?Linux tun interface packet routingDouble VPN (OpenVPN)connect to 3rd party VPN server but don't use it as the default route?Mikrotik with vpn client doesn't route mangled packets wellHow to connect 3 Openvpn Ubuntu ServersVPN Router does not reply to ARP RequestsDouble VPN client->server->client
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have a server used as a Web and SSH server under Linux. There runs a VPN client, with OpenVPN. If I have properly understood, the VPN changes the routing tables, leading to forwarding all the traffic through the VPN.
Then, when I try to request my Web site hosted on the server, it has become unavailable. I have a very primary knowledge in networking, but what I can assume (feel you free to correct me if I am wrong) is that the request is correctly received by the server through the usual interface, let's name it eth0, but given that the route has changed and passes now through the VPN, the response should be sent on the VPN's interface, which is obviously impossible for security sake.
I looked up the following threads:
https://superuser.com/questions/753736/accessing-a-webserver-hosted-behind-vpn-with-closed-ports-remotely
Reply on the same interface as incoming with DNATed IP
https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming
but unfortunately, they have been unhelpful.
Let's call the VPN's interface tun0. What I would like to do, is to reply to requests on eth0 on the same interface, namely eth0 itself, instead of tun0 as the VPN runs. Another precision, my server is behind a gateway which is different from it (two different IP addresses).
1) Is it possible to do so?
2) What are the different ways to do that?
Thank you in advance for your feedback.
networking vpn routing
asked Jun 8 at 12:25
MothMoth
255 bronze badges
|
show 1 more comment
I have a server used as a Web and SSH server under Linux. There runs a VPN client, with OpenVPN. If I have properly understood, the VPN changes the routing tables, leading to forwarding all the traffic through the VPN.
Then, when I try to request my Web site hosted on the server, it has become unavailable. I have a very primary knowledge in networking, but what I can assume (feel you free to correct me if I am wrong) is that the request is correctly received by the server through the usual interface, let's name it eth0, but given that the route has changed and passes now through the VPN, the response should be sent on the VPN's interface, which is obviously impossible for security sake.
I looked up the following threads:
https://superuser.com/questions/753736/accessing-a-webserver-hosted-behind-vpn-with-closed-ports-remotely
Reply on the same interface as incoming with DNATed IP
https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming
but unfortunately, they have been unhelpful.
Let's call the VPN's interface tun0. What I would like to do, is to reply to requests on eth0 on the same interface, namely eth0 itself, instead of tun0 as the VPN runs. Another precision, my server is behind a gateway which is different from it (two different IP addresses).
1) Is it possible to do so?
2) What are the different ways to do that?
Thank you in advance for your feedback.
networking vpn routing
asked Jun 8 at 12:25
MothMoth
255 bronze badges
1
It is posssible to do such a setup. The question is, what is the purpose of the VPN and which traffic (e.g. destination range) needs to be routed through the VPN tunnel. In such situation I'd try to only route the needed traffic through the tunnel.
– hargut
Jun 8 at 18:03
The server is also a PC. I would like to route the browsers and torrent's traffic through the VPN tunnel, while not tunneling the traffic pertaining to server activities.
– Moth
Jun 8 at 18:30
1
So, in your situation it might be easier to only guide server traffic through eth0. Does the server need to be reachable through vpn inbound traffic?
– hargut
Jun 8 at 20:31
For now, no, it does not. 1) How can we do that, namely guiding the server traffic through eth0? 2) But concerning what you pointed out, I wanted to know how to make my server reachable through the VPN inbound traffic, what would be the way to do that please?
– Moth
Jun 8 at 21:44
1
It is hatd to make any suggestion as there are still too little details on the setup available. The directions could be 1) setup iptable rules that match servers traffic (e.g. source port) and specify the output device device. 2) setup vpn in a routed mode, set iptable rules that match the vpn cidrs and the server traffic, specify the output device tun0. If you have WAN inbound server traffic through VPN it will be more complex. Full details for such setups are not someting that I will do in a serverfault comment. There are too many factors and too little time to explain/clarify all of these.
– hargut
Jun 9 at 6:22
|
show 1 more comment
I have a server used as a Web and SSH server under Linux. There runs a VPN client, with OpenVPN. If I have properly understood, the VPN changes the routing tables, leading to forwarding all the traffic through the VPN.
Then, when I try to request my Web site hosted on the server, it has become unavailable. I have a very primary knowledge in networking, but what I can assume (feel you free to correct me if I am wrong) is that the request is correctly received by the server through the usual interface, let's name it eth0, but given that the route has changed and passes now through the VPN, the response should be sent on the VPN's interface, which is obviously impossible for security sake.
I looked up the following threads:
https://superuser.com/questions/753736/accessing-a-webserver-hosted-behind-vpn-with-closed-ports-remotely
Reply on the same interface as incoming with DNATed IP
https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming
but unfortunately, they have been unhelpful.
Let's call the VPN's interface tun0. What I would like to do, is to reply to requests on eth0 on the same interface, namely eth0 itself, instead of tun0 as the VPN runs. Another precision, my server is behind a gateway which is different from it (two different IP addresses).
1) Is it possible to do so?
2) What are the different ways to do that?
Thank you in advance for your feedback.
networking vpn routing
asked Jun 8 at 12:25
MothMoth
255 bronze badges
I have a server used as a Web and SSH server under Linux. There runs a VPN client, with OpenVPN. If I have properly understood, the VPN changes the routing tables, leading to forwarding all the traffic through the VPN.
Then, when I try to request my Web site hosted on the server, it has become unavailable. I have a very primary knowledge in networking, but what I can assume (feel you free to correct me if I am wrong) is that the request is correctly received by the server through the usual interface, let's name it eth0, but given that the route has changed and passes now through the VPN, the response should be sent on the VPN's interface, which is obviously impossible for security sake.
I looked up the following threads:
https://superuser.com/questions/753736/accessing-a-webserver-hosted-behind-vpn-with-closed-ports-remotely
Reply on the same interface as incoming with DNATed IP
https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming
but unfortunately, they have been unhelpful.
Let's call the VPN's interface tun0. What I would like to do, is to reply to requests on eth0 on the same interface, namely eth0 itself, instead of tun0 as the VPN runs. Another precision, my server is behind a gateway which is different from it (two different IP addresses).
1) Is it possible to do so?
2) What are the different ways to do that?
Thank you in advance for your feedback.
networking vpn routing
networking vpn routing
asked Jun 8 at 12:25
MothMoth
255 bronze badges
asked Jun 8 at 12:25
MothMoth
255 bronze badges
edited Jun 10 at 10:31
Moth
asked Jun 8 at 12:25
MothMoth
255 bronze badges
asked Jun 8 at 12:25
MothMoth
255 bronze badges
asked Jun 8 at 12:25
MothMoth
255 bronze badges
255 bronze badges
1
It is posssible to do such a setup. The question is, what is the purpose of the VPN and which traffic (e.g. destination range) needs to be routed through the VPN tunnel. In such situation I'd try to only route the needed traffic through the tunnel.
– hargut
Jun 8 at 18:03
The server is also a PC. I would like to route the browsers and torrent's traffic through the VPN tunnel, while not tunneling the traffic pertaining to server activities.
– Moth
Jun 8 at 18:30
1
So, in your situation it might be easier to only guide server traffic through eth0. Does the server need to be reachable through vpn inbound traffic?
– hargut
Jun 8 at 20:31
For now, no, it does not. 1) How can we do that, namely guiding the server traffic through eth0? 2) But concerning what you pointed out, I wanted to know how to make my server reachable through the VPN inbound traffic, what would be the way to do that please?
– Moth
Jun 8 at 21:44
1
It is hatd to make any suggestion as there are still too little details on the setup available. The directions could be 1) setup iptable rules that match servers traffic (e.g. source port) and specify the output device device. 2) setup vpn in a routed mode, set iptable rules that match the vpn cidrs and the server traffic, specify the output device tun0. If you have WAN inbound server traffic through VPN it will be more complex. Full details for such setups are not someting that I will do in a serverfault comment. There are too many factors and too little time to explain/clarify all of these.
– hargut
Jun 9 at 6:22
|
show 1 more comment
1
It is posssible to do such a setup. The question is, what is the purpose of the VPN and which traffic (e.g. destination range) needs to be routed through the VPN tunnel. In such situation I'd try to only route the needed traffic through the tunnel.
– hargut
Jun 8 at 18:03
The server is also a PC. I would like to route the browsers and torrent's traffic through the VPN tunnel, while not tunneling the traffic pertaining to server activities.
– Moth
Jun 8 at 18:30
1
So, in your situation it might be easier to only guide server traffic through eth0. Does the server need to be reachable through vpn inbound traffic?
– hargut
Jun 8 at 20:31
For now, no, it does not. 1) How can we do that, namely guiding the server traffic through eth0? 2) But concerning what you pointed out, I wanted to know how to make my server reachable through the VPN inbound traffic, what would be the way to do that please?
– Moth
Jun 8 at 21:44
1
It is hatd to make any suggestion as there are still too little details on the setup available. The directions could be 1) setup iptable rules that match servers traffic (e.g. source port) and specify the output device device. 2) setup vpn in a routed mode, set iptable rules that match the vpn cidrs and the server traffic, specify the output device tun0. If you have WAN inbound server traffic through VPN it will be more complex. Full details for such setups are not someting that I will do in a serverfault comment. There are too many factors and too little time to explain/clarify all of these.
– hargut
Jun 9 at 6:22
1
1
It is posssible to do such a setup. The question is, what is the purpose of the VPN and which traffic (e.g. destination range) needs to be routed through the VPN tunnel. In such situation I'd try to only route the needed traffic through the tunnel.
– hargut
Jun 8 at 18:03
It is posssible to do such a setup. The question is, what is the purpose of the VPN and which traffic (e.g. destination range) needs to be routed through the VPN tunnel. In such situation I'd try to only route the needed traffic through the tunnel.
– hargut
Jun 8 at 18:03
The server is also a PC. I would like to route the browsers and torrent's traffic through the VPN tunnel, while not tunneling the traffic pertaining to server activities.
– Moth
Jun 8 at 18:30
The server is also a PC. I would like to route the browsers and torrent's traffic through the VPN tunnel, while not tunneling the traffic pertaining to server activities.
– Moth
Jun 8 at 18:30
1
1
So, in your situation it might be easier to only guide server traffic through eth0. Does the server need to be reachable through vpn inbound traffic?
– hargut
Jun 8 at 20:31
So, in your situation it might be easier to only guide server traffic through eth0. Does the server need to be reachable through vpn inbound traffic?
– hargut
Jun 8 at 20:31
For now, no, it does not. 1) How can we do that, namely guiding the server traffic through eth0? 2) But concerning what you pointed out, I wanted to know how to make my server reachable through the VPN inbound traffic, what would be the way to do that please?
– Moth
Jun 8 at 21:44
For now, no, it does not. 1) How can we do that, namely guiding the server traffic through eth0? 2) But concerning what you pointed out, I wanted to know how to make my server reachable through the VPN inbound traffic, what would be the way to do that please?
– Moth
Jun 8 at 21:44
1
1
It is hatd to make any suggestion as there are still too little details on the setup available. The directions could be 1) setup iptable rules that match servers traffic (e.g. source port) and specify the output device device. 2) setup vpn in a routed mode, set iptable rules that match the vpn cidrs and the server traffic, specify the output device tun0. If you have WAN inbound server traffic through VPN it will be more complex. Full details for such setups are not someting that I will do in a serverfault comment. There are too many factors and too little time to explain/clarify all of these.
– hargut
Jun 9 at 6:22
It is hatd to make any suggestion as there are still too little details on the setup available. The directions could be 1) setup iptable rules that match servers traffic (e.g. source port) and specify the output device device. 2) setup vpn in a routed mode, set iptable rules that match the vpn cidrs and the server traffic, specify the output device tun0. If you have WAN inbound server traffic through VPN it will be more complex. Full details for such setups are not someting that I will do in a serverfault comment. There are too many factors and too little time to explain/clarify all of these.
– hargut
Jun 9 at 6:22
|
show 1 more comment
1 Answer
1
active
oldest
votes
Finally, to my problematic I found a solution inspired from:
https://lartc.org/howto/lartc.rpdb.multiple-links.html .
Here is how to proceed.
To configure the routing of the server so that it is attainable behind a VPN client, a separate routing table ought to be used to avoid an overlap of routing configurations of the two interfaces.
Let <interface>, <table>, <ip>, <gateway> and <network> be the interface name, the table, the IP address of <interface>, the gateway's IP address, and the IP address of the network (that provided by the ISP), respectively.
The procedure to follow is:
Creation of the specific routing table of
<interface>: creating the new table<table>in/etc/iproute2/rt_tables.Setting a different routing configuration for the interface associated to
<gateway>by means of a specific table.The traffic towards
<network>is associated to the interface<interface>and follows the specific routing table<table>:ip route add <network> dev <interface> src <ip> table <table>Building a default route via this gateway:
ip route add default via <gateway> table <table>On
<interface>, forcing the traffic from<ip>passing through<network>, to use the interface<interface>:ip route add <network> dev <interface> src <ip>The
srcargument is specified to make sure the right outgoing IP address is chosen.Associating the interface to the appropriate
<network>:ip rule add from <ip> table
Key idea:
The key idea to understand, concerning why to use this technique here, is that for any request passing through the ISP node, here <network>, the latter will be an intermediate node of the response's route. This seems obvious, but forgetting it leads to not understand why <network> does matter in the routing configuration of the interface normally used to communicate with the server from outside.
Optional:
Setting the routes for all destinations to pass through
<gateway>instead of through the VPN's gateway. Useful when it is needed to use the VPN only on a case-by-case basis.Let
<vpn>, and<vpn's gateway>be the interface name of the VPN (generallytun0), and the IP address of the VPN's gateway, respectively. Then, the routes for any destinations passing through the VPN, more accurately its gateway<vpn's gateway>, have to be replaced by routes passing through<gateway>:
ip route del 0.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 0.0.0.0/1 via <gateway> dev <interface>
ip route del 128.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 128.0.0.0/1 via <gateway> dev <interface>
0.0.0.0/1 stands for IP addresses ranging from 0.0.0.1 to 127.255.255.255, and 128.0.0.0/1 from 128.0.0.1 to 255.255.254.
Voilà.
answered Jun 10 at 9:30
MothMoth
255 bronze badges
Good solution path, via iproute2 instead of iptables. This is a great way to handle such situation. For the CIDR matcher suggestion, keep in mind that 0.0.0.0/1 and 128.0.0.0/1 match approx. half the internet, only parts of these ranges are reserved for specific purposes (e.g private networks).
– hargut
Jun 10 at 10:42
Thank you for this lightening. What do you mean when you say that it matches approximately half the internet? You want to say that: 1. the other half is for private-purpose, or rather, that 2. it lacks the half of all the IP addresses? (the 2. seems unlikely, I don't think there are IP addresses beyond 255.255.255.255, at any rate with IPv4).
– Moth
Jun 10 at 14:30
The calculation of the ranges in your answer is correct 0.0.0.0/1 from 0.0.0.1 to 127.255.255.255 and 128.0.0.0/1 from 128.0.0.1 to 255.255.255. But each of the the two selectors covers (approx.) half of the ipv4 based internet, and both contain private and public ip's in its range (e.g. 10.0.0.0/8, or 172.16.0.0/16, ...). So if you match either 0.0.0.0/1 or 128.0.0.0/1 for routing through vpn-gateway or gateway it seems not very reasonable, still it could be intended when wanting (approx.) half traffic through vpn-gateway and (approx.) the other half through gateway.
– hargut
Jun 10 at 14:54
Actually, in my answer both 0.0.0.0/1 and 128.0.0.0/1 are routed through<gateway>and not through<vpn's gateway>. But you are right, I think that<vpn's gateway>and<vpn address>don't have to be routed in the<gateway>, otherwise, the VPN would become unreachable. Am I right?
– Moth
Jun 10 at 20:40
Sorry, I've missed the fact that both are routed via the same gateway. In this case a single entry with 0.0.0.0/0 would be more clear.
– hargut
Jun 11 at 5:19
|
show 1 more comment
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970661%2fmaking-a-server-behind-a-vpn-client-remain-reachable%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Finally, to my problematic I found a solution inspired from:
https://lartc.org/howto/lartc.rpdb.multiple-links.html .
Here is how to proceed.
To configure the routing of the server so that it is attainable behind a VPN client, a separate routing table ought to be used to avoid an overlap of routing configurations of the two interfaces.
Let <interface>, <table>, <ip>, <gateway> and <network> be the interface name, the table, the IP address of <interface>, the gateway's IP address, and the IP address of the network (that provided by the ISP), respectively.
The procedure to follow is:
Creation of the specific routing table of
<interface>: creating the new table<table>in/etc/iproute2/rt_tables.Setting a different routing configuration for the interface associated to
<gateway>by means of a specific table.The traffic towards
<network>is associated to the interface<interface>and follows the specific routing table<table>:ip route add <network> dev <interface> src <ip> table <table>Building a default route via this gateway:
ip route add default via <gateway> table <table>On
<interface>, forcing the traffic from<ip>passing through<network>, to use the interface<interface>:ip route add <network> dev <interface> src <ip>The
srcargument is specified to make sure the right outgoing IP address is chosen.Associating the interface to the appropriate
<network>:ip rule add from <ip> table
Key idea:
The key idea to understand, concerning why to use this technique here, is that for any request passing through the ISP node, here <network>, the latter will be an intermediate node of the response's route. This seems obvious, but forgetting it leads to not understand why <network> does matter in the routing configuration of the interface normally used to communicate with the server from outside.
Optional:
Setting the routes for all destinations to pass through
<gateway>instead of through the VPN's gateway. Useful when it is needed to use the VPN only on a case-by-case basis.Let
<vpn>, and<vpn's gateway>be the interface name of the VPN (generallytun0), and the IP address of the VPN's gateway, respectively. Then, the routes for any destinations passing through the VPN, more accurately its gateway<vpn's gateway>, have to be replaced by routes passing through<gateway>:
ip route del 0.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 0.0.0.0/1 via <gateway> dev <interface>
ip route del 128.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 128.0.0.0/1 via <gateway> dev <interface>
0.0.0.0/1 stands for IP addresses ranging from 0.0.0.1 to 127.255.255.255, and 128.0.0.0/1 from 128.0.0.1 to 255.255.254.
Voilà.
answered Jun 10 at 9:30
MothMoth
255 bronze badges
Good solution path, via iproute2 instead of iptables. This is a great way to handle such situation. For the CIDR matcher suggestion, keep in mind that 0.0.0.0/1 and 128.0.0.0/1 match approx. half the internet, only parts of these ranges are reserved for specific purposes (e.g private networks).
– hargut
Jun 10 at 10:42
Thank you for this lightening. What do you mean when you say that it matches approximately half the internet? You want to say that: 1. the other half is for private-purpose, or rather, that 2. it lacks the half of all the IP addresses? (the 2. seems unlikely, I don't think there are IP addresses beyond 255.255.255.255, at any rate with IPv4).
– Moth
Jun 10 at 14:30
The calculation of the ranges in your answer is correct 0.0.0.0/1 from 0.0.0.1 to 127.255.255.255 and 128.0.0.0/1 from 128.0.0.1 to 255.255.255. But each of the the two selectors covers (approx.) half of the ipv4 based internet, and both contain private and public ip's in its range (e.g. 10.0.0.0/8, or 172.16.0.0/16, ...). So if you match either 0.0.0.0/1 or 128.0.0.0/1 for routing through vpn-gateway or gateway it seems not very reasonable, still it could be intended when wanting (approx.) half traffic through vpn-gateway and (approx.) the other half through gateway.
– hargut
Jun 10 at 14:54
Actually, in my answer both 0.0.0.0/1 and 128.0.0.0/1 are routed through<gateway>and not through<vpn's gateway>. But you are right, I think that<vpn's gateway>and<vpn address>don't have to be routed in the<gateway>, otherwise, the VPN would become unreachable. Am I right?
– Moth
Jun 10 at 20:40
Sorry, I've missed the fact that both are routed via the same gateway. In this case a single entry with 0.0.0.0/0 would be more clear.
– hargut
Jun 11 at 5:19
|
show 1 more comment
Finally, to my problematic I found a solution inspired from:
https://lartc.org/howto/lartc.rpdb.multiple-links.html .
Here is how to proceed.
To configure the routing of the server so that it is attainable behind a VPN client, a separate routing table ought to be used to avoid an overlap of routing configurations of the two interfaces.
Let <interface>, <table>, <ip>, <gateway> and <network> be the interface name, the table, the IP address of <interface>, the gateway's IP address, and the IP address of the network (that provided by the ISP), respectively.
The procedure to follow is:
Creation of the specific routing table of
<interface>: creating the new table<table>in/etc/iproute2/rt_tables.Setting a different routing configuration for the interface associated to
<gateway>by means of a specific table.The traffic towards
<network>is associated to the interface<interface>and follows the specific routing table<table>:ip route add <network> dev <interface> src <ip> table <table>Building a default route via this gateway:
ip route add default via <gateway> table <table>On
<interface>, forcing the traffic from<ip>passing through<network>, to use the interface<interface>:ip route add <network> dev <interface> src <ip>The
srcargument is specified to make sure the right outgoing IP address is chosen.Associating the interface to the appropriate
<network>:ip rule add from <ip> table
Key idea:
The key idea to understand, concerning why to use this technique here, is that for any request passing through the ISP node, here <network>, the latter will be an intermediate node of the response's route. This seems obvious, but forgetting it leads to not understand why <network> does matter in the routing configuration of the interface normally used to communicate with the server from outside.
Optional:
Setting the routes for all destinations to pass through
<gateway>instead of through the VPN's gateway. Useful when it is needed to use the VPN only on a case-by-case basis.Let
<vpn>, and<vpn's gateway>be the interface name of the VPN (generallytun0), and the IP address of the VPN's gateway, respectively. Then, the routes for any destinations passing through the VPN, more accurately its gateway<vpn's gateway>, have to be replaced by routes passing through<gateway>:
ip route del 0.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 0.0.0.0/1 via <gateway> dev <interface>
ip route del 128.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 128.0.0.0/1 via <gateway> dev <interface>
0.0.0.0/1 stands for IP addresses ranging from 0.0.0.1 to 127.255.255.255, and 128.0.0.0/1 from 128.0.0.1 to 255.255.254.
Voilà.
answered Jun 10 at 9:30
MothMoth
255 bronze badges
Good solution path, via iproute2 instead of iptables. This is a great way to handle such situation. For the CIDR matcher suggestion, keep in mind that 0.0.0.0/1 and 128.0.0.0/1 match approx. half the internet, only parts of these ranges are reserved for specific purposes (e.g private networks).
– hargut
Jun 10 at 10:42
Thank you for this lightening. What do you mean when you say that it matches approximately half the internet? You want to say that: 1. the other half is for private-purpose, or rather, that 2. it lacks the half of all the IP addresses? (the 2. seems unlikely, I don't think there are IP addresses beyond 255.255.255.255, at any rate with IPv4).
– Moth
Jun 10 at 14:30
The calculation of the ranges in your answer is correct 0.0.0.0/1 from 0.0.0.1 to 127.255.255.255 and 128.0.0.0/1 from 128.0.0.1 to 255.255.255. But each of the the two selectors covers (approx.) half of the ipv4 based internet, and both contain private and public ip's in its range (e.g. 10.0.0.0/8, or 172.16.0.0/16, ...). So if you match either 0.0.0.0/1 or 128.0.0.0/1 for routing through vpn-gateway or gateway it seems not very reasonable, still it could be intended when wanting (approx.) half traffic through vpn-gateway and (approx.) the other half through gateway.
– hargut
Jun 10 at 14:54
Actually, in my answer both 0.0.0.0/1 and 128.0.0.0/1 are routed through<gateway>and not through<vpn's gateway>. But you are right, I think that<vpn's gateway>and<vpn address>don't have to be routed in the<gateway>, otherwise, the VPN would become unreachable. Am I right?
– Moth
Jun 10 at 20:40
Sorry, I've missed the fact that both are routed via the same gateway. In this case a single entry with 0.0.0.0/0 would be more clear.
– hargut
Jun 11 at 5:19
|
show 1 more comment
Finally, to my problematic I found a solution inspired from:
https://lartc.org/howto/lartc.rpdb.multiple-links.html .
Here is how to proceed.
To configure the routing of the server so that it is attainable behind a VPN client, a separate routing table ought to be used to avoid an overlap of routing configurations of the two interfaces.
Let <interface>, <table>, <ip>, <gateway> and <network> be the interface name, the table, the IP address of <interface>, the gateway's IP address, and the IP address of the network (that provided by the ISP), respectively.
The procedure to follow is:
Creation of the specific routing table of
<interface>: creating the new table<table>in/etc/iproute2/rt_tables.Setting a different routing configuration for the interface associated to
<gateway>by means of a specific table.The traffic towards
<network>is associated to the interface<interface>and follows the specific routing table<table>:ip route add <network> dev <interface> src <ip> table <table>Building a default route via this gateway:
ip route add default via <gateway> table <table>On
<interface>, forcing the traffic from<ip>passing through<network>, to use the interface<interface>:ip route add <network> dev <interface> src <ip>The
srcargument is specified to make sure the right outgoing IP address is chosen.Associating the interface to the appropriate
<network>:ip rule add from <ip> table
Key idea:
The key idea to understand, concerning why to use this technique here, is that for any request passing through the ISP node, here <network>, the latter will be an intermediate node of the response's route. This seems obvious, but forgetting it leads to not understand why <network> does matter in the routing configuration of the interface normally used to communicate with the server from outside.
Optional:
Setting the routes for all destinations to pass through
<gateway>instead of through the VPN's gateway. Useful when it is needed to use the VPN only on a case-by-case basis.Let
<vpn>, and<vpn's gateway>be the interface name of the VPN (generallytun0), and the IP address of the VPN's gateway, respectively. Then, the routes for any destinations passing through the VPN, more accurately its gateway<vpn's gateway>, have to be replaced by routes passing through<gateway>:
ip route del 0.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 0.0.0.0/1 via <gateway> dev <interface>
ip route del 128.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 128.0.0.0/1 via <gateway> dev <interface>
0.0.0.0/1 stands for IP addresses ranging from 0.0.0.1 to 127.255.255.255, and 128.0.0.0/1 from 128.0.0.1 to 255.255.254.
Voilà.
answered Jun 10 at 9:30
MothMoth
255 bronze badges
Finally, to my problematic I found a solution inspired from:
https://lartc.org/howto/lartc.rpdb.multiple-links.html .
Here is how to proceed.
To configure the routing of the server so that it is attainable behind a VPN client, a separate routing table ought to be used to avoid an overlap of routing configurations of the two interfaces.
Let <interface>, <table>, <ip>, <gateway> and <network> be the interface name, the table, the IP address of <interface>, the gateway's IP address, and the IP address of the network (that provided by the ISP), respectively.
The procedure to follow is:
Creation of the specific routing table of
<interface>: creating the new table<table>in/etc/iproute2/rt_tables.Setting a different routing configuration for the interface associated to
<gateway>by means of a specific table.The traffic towards
<network>is associated to the interface<interface>and follows the specific routing table<table>:ip route add <network> dev <interface> src <ip> table <table>Building a default route via this gateway:
ip route add default via <gateway> table <table>On
<interface>, forcing the traffic from<ip>passing through<network>, to use the interface<interface>:ip route add <network> dev <interface> src <ip>The
srcargument is specified to make sure the right outgoing IP address is chosen.Associating the interface to the appropriate
<network>:ip rule add from <ip> table
Key idea:
The key idea to understand, concerning why to use this technique here, is that for any request passing through the ISP node, here <network>, the latter will be an intermediate node of the response's route. This seems obvious, but forgetting it leads to not understand why <network> does matter in the routing configuration of the interface normally used to communicate with the server from outside.
Optional:
Setting the routes for all destinations to pass through
<gateway>instead of through the VPN's gateway. Useful when it is needed to use the VPN only on a case-by-case basis.Let
<vpn>, and<vpn's gateway>be the interface name of the VPN (generallytun0), and the IP address of the VPN's gateway, respectively. Then, the routes for any destinations passing through the VPN, more accurately its gateway<vpn's gateway>, have to be replaced by routes passing through<gateway>:
ip route del 0.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 0.0.0.0/1 via <gateway> dev <interface>
ip route del 128.0.0.0/1 via <vpn's gateway> dev <vpn>
ip route add 128.0.0.0/1 via <gateway> dev <interface>
0.0.0.0/1 stands for IP addresses ranging from 0.0.0.1 to 127.255.255.255, and 128.0.0.0/1 from 128.0.0.1 to 255.255.254.
Voilà.
answered Jun 10 at 9:30
MothMoth
255 bronze badges
edited Jun 11 at 10:41
answered Jun 10 at 9:30
MothMoth
255 bronze badges
answered Jun 10 at 9:30
MothMoth
255 bronze badges
answered Jun 10 at 9:30
MothMoth
255 bronze badges
255 bronze badges
Good solution path, via iproute2 instead of iptables. This is a great way to handle such situation. For the CIDR matcher suggestion, keep in mind that 0.0.0.0/1 and 128.0.0.0/1 match approx. half the internet, only parts of these ranges are reserved for specific purposes (e.g private networks).
– hargut
Jun 10 at 10:42
Thank you for this lightening. What do you mean when you say that it matches approximately half the internet? You want to say that: 1. the other half is for private-purpose, or rather, that 2. it lacks the half of all the IP addresses? (the 2. seems unlikely, I don't think there are IP addresses beyond 255.255.255.255, at any rate with IPv4).
– Moth
Jun 10 at 14:30
The calculation of the ranges in your answer is correct 0.0.0.0/1 from 0.0.0.1 to 127.255.255.255 and 128.0.0.0/1 from 128.0.0.1 to 255.255.255. But each of the the two selectors covers (approx.) half of the ipv4 based internet, and both contain private and public ip's in its range (e.g. 10.0.0.0/8, or 172.16.0.0/16, ...). So if you match either 0.0.0.0/1 or 128.0.0.0/1 for routing through vpn-gateway or gateway it seems not very reasonable, still it could be intended when wanting (approx.) half traffic through vpn-gateway and (approx.) the other half through gateway.
– hargut
Jun 10 at 14:54
Actually, in my answer both 0.0.0.0/1 and 128.0.0.0/1 are routed through<gateway>and not through<vpn's gateway>. But you are right, I think that<vpn's gateway>and<vpn address>don't have to be routed in the<gateway>, otherwise, the VPN would become unreachable. Am I right?
– Moth
Jun 10 at 20:40
Sorry, I've missed the fact that both are routed via the same gateway. In this case a single entry with 0.0.0.0/0 would be more clear.
– hargut
Jun 11 at 5:19
|
show 1 more comment
Good solution path, via iproute2 instead of iptables. This is a great way to handle such situation. For the CIDR matcher suggestion, keep in mind that 0.0.0.0/1 and 128.0.0.0/1 match approx. half the internet, only parts of these ranges are reserved for specific purposes (e.g private networks).
– hargut
Jun 10 at 10:42
Thank you for this lightening. What do you mean when you say that it matches approximately half the internet? You want to say that: 1. the other half is for private-purpose, or rather, that 2. it lacks the half of all the IP addresses? (the 2. seems unlikely, I don't think there are IP addresses beyond 255.255.255.255, at any rate with IPv4).
– Moth
Jun 10 at 14:30
The calculation of the ranges in your answer is correct 0.0.0.0/1 from 0.0.0.1 to 127.255.255.255 and 128.0.0.0/1 from 128.0.0.1 to 255.255.255. But each of the the two selectors covers (approx.) half of the ipv4 based internet, and both contain private and public ip's in its range (e.g. 10.0.0.0/8, or 172.16.0.0/16, ...). So if you match either 0.0.0.0/1 or 128.0.0.0/1 for routing through vpn-gateway or gateway it seems not very reasonable, still it could be intended when wanting (approx.) half traffic through vpn-gateway and (approx.) the other half through gateway.
– hargut
Jun 10 at 14:54
Actually, in my answer both 0.0.0.0/1 and 128.0.0.0/1 are routed through<gateway>and not through<vpn's gateway>. But you are right, I think that<vpn's gateway>and<vpn address>don't have to be routed in the<gateway>, otherwise, the VPN would become unreachable. Am I right?
– Moth
Jun 10 at 20:40
Sorry, I've missed the fact that both are routed via the same gateway. In this case a single entry with 0.0.0.0/0 would be more clear.
– hargut
Jun 11 at 5:19
Good solution path, via iproute2 instead of iptables. This is a great way to handle such situation. For the CIDR matcher suggestion, keep in mind that 0.0.0.0/1 and 128.0.0.0/1 match approx. half the internet, only parts of these ranges are reserved for specific purposes (e.g private networks).
– hargut
Jun 10 at 10:42
Good solution path, via iproute2 instead of iptables. This is a great way to handle such situation. For the CIDR matcher suggestion, keep in mind that 0.0.0.0/1 and 128.0.0.0/1 match approx. half the internet, only parts of these ranges are reserved for specific purposes (e.g private networks).
– hargut
Jun 10 at 10:42
Thank you for this lightening. What do you mean when you say that it matches approximately half the internet? You want to say that: 1. the other half is for private-purpose, or rather, that 2. it lacks the half of all the IP addresses? (the 2. seems unlikely, I don't think there are IP addresses beyond 255.255.255.255, at any rate with IPv4).
– Moth
Jun 10 at 14:30
Thank you for this lightening. What do you mean when you say that it matches approximately half the internet? You want to say that: 1. the other half is for private-purpose, or rather, that 2. it lacks the half of all the IP addresses? (the 2. seems unlikely, I don't think there are IP addresses beyond 255.255.255.255, at any rate with IPv4).
– Moth
Jun 10 at 14:30
The calculation of the ranges in your answer is correct 0.0.0.0/1 from 0.0.0.1 to 127.255.255.255 and 128.0.0.0/1 from 128.0.0.1 to 255.255.255. But each of the the two selectors covers (approx.) half of the ipv4 based internet, and both contain private and public ip's in its range (e.g. 10.0.0.0/8, or 172.16.0.0/16, ...). So if you match either 0.0.0.0/1 or 128.0.0.0/1 for routing through vpn-gateway or gateway it seems not very reasonable, still it could be intended when wanting (approx.) half traffic through vpn-gateway and (approx.) the other half through gateway.
– hargut
Jun 10 at 14:54
The calculation of the ranges in your answer is correct 0.0.0.0/1 from 0.0.0.1 to 127.255.255.255 and 128.0.0.0/1 from 128.0.0.1 to 255.255.255. But each of the the two selectors covers (approx.) half of the ipv4 based internet, and both contain private and public ip's in its range (e.g. 10.0.0.0/8, or 172.16.0.0/16, ...). So if you match either 0.0.0.0/1 or 128.0.0.0/1 for routing through vpn-gateway or gateway it seems not very reasonable, still it could be intended when wanting (approx.) half traffic through vpn-gateway and (approx.) the other half through gateway.
– hargut
Jun 10 at 14:54
Actually, in my answer both 0.0.0.0/1 and 128.0.0.0/1 are routed through
<gateway> and not through <vpn's gateway>. But you are right, I think that <vpn's gateway> and <vpn address> don't have to be routed in the <gateway>, otherwise, the VPN would become unreachable. Am I right?– Moth
Jun 10 at 20:40
Actually, in my answer both 0.0.0.0/1 and 128.0.0.0/1 are routed through
<gateway> and not through <vpn's gateway>. But you are right, I think that <vpn's gateway> and <vpn address> don't have to be routed in the <gateway>, otherwise, the VPN would become unreachable. Am I right?– Moth
Jun 10 at 20:40
Sorry, I've missed the fact that both are routed via the same gateway. In this case a single entry with 0.0.0.0/0 would be more clear.
– hargut
Jun 11 at 5:19
Sorry, I've missed the fact that both are routed via the same gateway. In this case a single entry with 0.0.0.0/0 would be more clear.
– hargut
Jun 11 at 5:19
|
show 1 more comment
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970661%2fmaking-a-server-behind-a-vpn-client-remain-reachable%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
It is posssible to do such a setup. The question is, what is the purpose of the VPN and which traffic (e.g. destination range) needs to be routed through the VPN tunnel. In such situation I'd try to only route the needed traffic through the tunnel.
– hargut
Jun 8 at 18:03
The server is also a PC. I would like to route the browsers and torrent's traffic through the VPN tunnel, while not tunneling the traffic pertaining to server activities.
– Moth
Jun 8 at 18:30
1
So, in your situation it might be easier to only guide server traffic through eth0. Does the server need to be reachable through vpn inbound traffic?
– hargut
Jun 8 at 20:31
For now, no, it does not. 1) How can we do that, namely guiding the server traffic through eth0? 2) But concerning what you pointed out, I wanted to know how to make my server reachable through the VPN inbound traffic, what would be the way to do that please?
– Moth
Jun 8 at 21:44
1
It is hatd to make any suggestion as there are still too little details on the setup available. The directions could be 1) setup iptable rules that match servers traffic (e.g. source port) and specify the output device device. 2) setup vpn in a routed mode, set iptable rules that match the vpn cidrs and the server traffic, specify the output device tun0. If you have WAN inbound server traffic through VPN it will be more complex. Full details for such setups are not someting that I will do in a serverfault comment. There are too many factors and too little time to explain/clarify all of these.
– hargut
Jun 9 at 6:22