[SOLVED] OpenVPN route only specific traffic through VPN

7thSon · 2017-06-27 16:06:21

I have been searching like crazy to find a working way to set up OpenVPN (without Network Manager), to route all traffic for Deluge through the VPN and all other traffic through regular eth0.

What I've found are two iptables commands that work in order to get all Deluge traffic routed to tun0;

#allow local traffic
sudo iptables -A OUTPUT -m owner --gid-owner deluge -o lo -j ACCEPT
#force deluge user traffic through tun0
sudo iptables -A OUTPUT -m owner --gid-owner deluge \! -o tun0 -j REJECT

This works with the deluge user and I can see that any attempt to ping 8.8.8.8 fails if I disconnect the VPN.
However, I still need a way to let all traffic from my main user through the eth0 interface.
My VPN provider by default pushes routes to force all traffic through the VPN, I've tried two approaches to remedy this:

In openvpn conf file:
route-nopull

or:
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

Both of the above approaches allow my main user to bypass the tun0 interface, but it also cuts off all traffic to deluge.
So what can I do to get all traffic from "myuser" to eth0 while still keeping all traffic from "deluge" user routed through tun0?
Is there a way to route "all traffic from "myuser" on tun0 -> route to -> eth0" reliably, if I would let OpenVPN keep pushing routes instead of doing the above?

Last edited by 7thSon (2017-12-15 23:06:24)

brebs · 2017-06-27 19:35:28

It's ugly, requiring packet marking and then also a routing table entry. See:

https://askubuntu.com/questions/104400/ … r-interfac
https://www.niftiestsoftware.com/2011/0 … interface/

7thSon · 2017-07-07 14:11:04

brebs wrote:

It's ugly, requiring packet marking and then also a routing table entry. See:
https://askubuntu.com/questions/104400/ … r-interfac
https://www.niftiestsoftware.com/2011/0 … interface/

So I'm still working on getting this set up, here is where I'm at:

#allow local traffic
sudo iptables -A OUTPUT -m owner --gid-owner deluge -o lo -j ACCEPT

#force deluge user traffic through tun0
sudo iptables -A OUTPUT -m owner --gid-owner deluge \! -o tun0 -j REJECT

#mark all traffic not by user "deluge" with "1"
sudo iptables -t mangle -A OUTPUT -m owner \! --gid-owner deluge -j MARK --set-mark 1

#add marked traffic to routing table 1
sudo ip rule add fwmark 1 table 1

#route traffic from table 1 to enp5s0
sudo ip route add 0.0.0.0/0 table 1 dev enp5s0

This still seems to be pulling all traffic to tun0 as my ip online is still the VPN ip.
Am I missing something in the above commands?

7thSon · 2017-07-16 16:34:20

Would anybody be able to help me get on track with this, I'm unable to figure out how to combine the two methods in the suggested links by brebs to get this to work

7thSon · 2017-07-24 22:11:17

Bump?

jasonwryan · 2017-07-24 22:20:25

Don't do that: https://wiki.archlinux.org/index.php/Co … ct#Bumping

7thSon · 2017-07-24 22:26:30

jasonwryan wrote:

Don't do that: https://wiki.archlinux.org/index.php/Co … ct#Bumping

Fair enough, but am I vague in my question, or is this a tricky issue?
I'm very stuck with this unfortunately

fukawi2 · 2017-07-24 22:53:47

The solution is messy and tricky. It's generally called Policy Based Routing which may assist you with Googling.

I wrote a script to help with this a long time ago -- it doesn't cater to doing it for user specific packets, but it might help give you a base to work from: https://github.com/fukawi2/pb-route

CarbonChauvinist · 2017-07-25 00:44:15

This guy's video breaks down his method using systemd nspawn containers and it seems like it might work well for your needs.

7thSon · 2017-08-05 12:41:57

Finally got some time to give this another try again, thanks for the suggestions, however both the script you suggest fukawi2 and the video of nspawn containers are way above my understanding of these things
Instead I found this example of using a namespace to do the same thing; https://superuser.com/questions/983727/ … hrough-vpn

I've been trying to set this up as per the instructions, but I'm having some issues, specifically that deluge wont start from within the xterm or XFCE4 terminal launched in the new namespace.
I got a DBUS error when running deluge in the new namespace terminal:

Traceback (most recent call last):
  File "/usr/bin/deluge", line 11, in <module>
    load_entry_point('deluge==1.3.15', 'gui_scripts', 'deluge')()
  File "/usr/lib/python2.7/site-packages/deluge/main.py", line 137, in start_ui
    UI(options, args, options.args)
  File "/usr/lib/python2.7/site-packages/deluge/ui/ui.py", line 153, in __init__
    ui = GtkUI(args)
  File "/usr/lib/python2.7/site-packages/deluge/ui/gtkui/gtkui.py", line 233, in __init__
    common.associate_magnet_links(False)
  File "/usr/lib/python2.7/site-packages/deluge/ui/gtkui/common.py", line 255, in associate_magnet_links
    if (gconf_client.get(key) and overwrite) or not gconf_client.get(key):
glib.GError: Client failed to connect to the D-BUS daemon:
Using X11 for dbus-daemon autolaunch was disabled at compile time, set your DBUS_SESSION_BUS_ADDRESS instead

Found something on google which said to insert "export $(dbus-launch)" into the script launching the new terminal, this seems to take the problem one step forward, now when trying to launch deluge I get this:

Traceback (most recent call last):
  File "/usr/bin/deluge", line 11, in <module>
    load_entry_point('deluge==1.3.15', 'gui_scripts', 'deluge')()
  File "/usr/lib/python2.7/site-packages/deluge/main.py", line 137, in start_ui
    UI(options, args, options.args)
  File "/usr/lib/python2.7/site-packages/deluge/ui/ui.py", line 153, in __init__
    ui = GtkUI(args)
  File "/usr/lib/python2.7/site-packages/deluge/ui/gtkui/gtkui.py", line 233, in __init__
    common.associate_magnet_links(False)
  File "/usr/lib/python2.7/site-packages/deluge/ui/gtkui/common.py", line 255, in associate_magnet_links
    if (gconf_client.get(key) and overwrite) or not gconf_client.get(key):
glib.GError: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-j64gCLCX4o: Connection refused

I did find that running openvpn in the new namespace didn't affect the default one I had, so the script seems to work quite well,
what I need to figure out now is how to

Connect to openvpn and be able to continue after the openvpn command (adding "&" at the end of it doesnt work - maybe need to run this in separate script?)
Get deluge to launch without errors.
Delete the new namespace after deluge closes.
Preferrably launch xterm/XFCE4 terminal invisible in background so that deluge is the only visible window.

Last edited by 7thSon (2017-08-05 12:42:30)

7thSon · 2017-08-06 13:27:30

I've managed to make some progress with this now, using the script found here; https://github.com/crasm/vpnshift.sh
I got openvpn connected, and deluge running by adding "export $(dbus-launch)" to the script above, and starting deluged (deluge daemon) before the gui in the vpn namespace.

Some issues still persist though, I get an error in the terminal about the deluge daemon, this is strange as I don't have the daemon running before I run the script.

[ERROR   ] 14:52:42 main:243 There is a deluge daemon running with this config directory!
[ERROR   ] 14:52:42 main:244 You cannot run multiple daemons with the same config directory set.
[ERROR   ] 14:52:42 main:245 If you believe this is an error, you can force a start by deleting /home/user/.config/deluge/deluged.pid

Also there are some errors from openvpn, but i don't' know if these are critical or not:

Sun Aug  6 15:15:35 2017 RESOLVE: Cannot resolve host address: pool.prd.se.ovpn.com:443 (Name or service not known)
Sun Aug  6 15:15:35 2017 Could not determine IPv4/IPv6 protocol

However the big issue is that deluge is not accepting any connections, I get no traffic uploading or download at all.
I can verify this since the command "wget -qO- http://ipecho.net/plain ; echo" outputs my public ip address in a terminal outside the vpn namespace, but in it the result is blank.

So how come there is no traffic in the vpn namespace?

7thSon · 2017-12-15 23:06:02

Finally solved this by using a Docker container created by binhex found here: https://hub.docker.com/r/binhex/arch-delugevpn/
The container is created to run deluge through an openvpn connection.

The only extra things I had to do was to change the auth file in the container to add correct username and password, the generated defaults were not useful.
Also changed the pull path of the container data to my home folder in order to avoid filling up /.

So marking this as solved now and leaving this post here for anyone's future reference.

Arch Linux

#1 2017-06-27 16:06:21

[SOLVED] OpenVPN route only specific traffic through VPN

#2 2017-06-27 19:35:28

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#3 2017-07-07 14:11:04

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#4 2017-07-16 16:34:20

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#5 2017-07-24 22:11:17

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#6 2017-07-24 22:20:25

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#7 2017-07-24 22:26:30

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#8 2017-07-24 22:53:47

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#9 2017-07-25 00:44:15

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#10 2017-08-05 12:41:57

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#11 2017-08-06 13:27:30

Re: [SOLVED] OpenVPN route only specific traffic through VPN

#12 2017-12-15 23:06:02

Re: [SOLVED] OpenVPN route only specific traffic through VPN

Board footer