Exclude ports (SSH, FTP, etc) from VPN connection [SOLVED]

ohshitgorillas · 2012-06-28 19:43:01

Hey all, first of all, I'd like to say that I've been using Arch for about a month and it's awesome. I started it so that I could get my hands dirty and learn how Linux works, and it's been a great experiment. The documentation is simply amazing.

So, here's the setup. I have a small personal server/HTPC running Arch at home. Because I'm paranoid about anonymity, at least to some extent, I use a VPN service (HideMyAss.com via openVPN). I usually connect to a random US server each time, and so my apparent IP address changes every time I reconnect but my home address stays static. Furthermore, it's possible (I'm not positive, though) that the IP address I'm assigned to is not unique. This introduces a problem, because I want to be able to make a direct connection to my home server via SSH, FTP, HTTP, whatever... however, trying to connect to my home address causes the returning signal to be re-routed through the VPN address and therefore the signal isn't recognized as being a response from my home IP.

My question is... how do I exclude certain ports (let's say, for simplicity's sake, 20 and 22 for FTP and SSH) from the VPN, while routing everything else through it?

Currently I'm using the NetworkManager daemon and I am NOT using IPtables because that's one of those things that I haven't gotten around to reading about and getting comfortable with (hey, cut me some slack, I'm a PhD student and NOT in CS... this is a hobby, not a profession =P). I'm a noob... a noob that is learning fast, but still a noob.

Any help with this would be greatly appreciated. I'll be happy to post any details or config files as soon as I get home and have access to the PC itself!

-gorillas

Last edited by ohshitgorillas (2012-07-13 00:51:47)

fukawi2 · 2012-06-28 23:23:16

The problem you're describing is called Asynchronous Routing, and it's a tricky problem in your case.

You've effectively got 2 internet connections; your normal DSL/Cable/whatever, and your VPN tunnel which as far as routing is concerned is another connection. IOW, "the internet" can be reached either via your DSL router, and via the VPN tunnel. Your default route obviously points down the VPN tunnel at the moment.

To solve it, you need to setup multiple route tables, and use iptables to mark connections so the kernel connection tracking can use the appropriate routing table to route the traffic.

I wrote a script to do similar to this a while ago that might help you. It's designed to mark the connections based on port/source/dest etc but it also sets up the basic rules above to make sure return traffic goes back via the connection it started on. So if you set it up with no rules, you should still get that basic stuff:
https://github.com/fukawi2/pb-route

Failing that, Googling around for how to handle multiple internet connections should help point you in the right direction.

ohshitgorillas · 2012-07-13 00:51:21

Because I f@#$ing hate when people abandon threads, I've decided to come back and post my solution to this problem, now that I have one.

I am installing a virtual machine via virtualbox which will handle my sensitive internet traffic. This machine uses a bridged network (have to deselect from the default of NAT in the Network section in Virtual Box settings!) and has the VPN encrypted network connection to the private service; the host to the VM does not use a VPN and this is the host to the servers that I want to be able to access such as personal VPN, SSH, FTP, etc.

Edit: initial solution was slightly retarded so I changed it to this one.

Last edited by ohshitgorillas (2012-07-13 01:02:06)

bohni · 2015-05-21 08:54:51

Hello,
I have a similar question and wonder whether I should try the same approach.
I have a windows (7, 64bit) machine (not my choice) that connects to a VPN, and I'd like to SSH into that machine from my Linux computer via my local network and then ssh out of it via the VPN.
The reason being, that it's not possible to establish the necessary VPN connection on my Linux computer.
So basically the Windows computer's only purpose is to let my SSH into another network via my Linux Computer. The windows computer has VPN access to this network, the Linux computer doesn't.

I'd be grateful for any advice on whether it's worthwile trying this with VirtualBox on the windows computer.

jasonwryan · 2015-05-21 09:15:09

Please don't necrobump: https://wiki.archlinux.org/index.php/Fo … bumping.22

Closing

Arch Linux

#1 2012-06-28 19:43:01

Exclude ports (SSH, FTP, etc) from VPN connection [SOLVED]

#2 2012-06-28 23:23:16

Re: Exclude ports (SSH, FTP, etc) from VPN connection [SOLVED]

#3 2012-07-13 00:51:21

Re: Exclude ports (SSH, FTP, etc) from VPN connection [SOLVED]

#4 2015-05-21 08:54:51

Re: Exclude ports (SSH, FTP, etc) from VPN connection [SOLVED]

#5 2015-05-21 09:15:09

Re: Exclude ports (SSH, FTP, etc) from VPN connection [SOLVED]

Board footer