Trying to setup split tunnel VPN using OpenVPN

bbaserdem · 2018-06-23 23:03:59

Hello. My current user case is;

- My laboratory has an internal network that blocks torrenting.
- I want to split tunnel my openvpn so that I can access torrent protocol, while being able to access the internal network.
- I'm using systemd-networkd to connect, and want to use nftables as firewall.
- I set up openvpn fine, but im cut off from my internal network when i vpn which is bad; since im connected to a couple servers that are in network here.

I haven't found anything regarding how to set this up; openvpn wiki page has no such thing, neither does nftables page contain any info on how i would set up the packages. could someone point me in the right direction? I know very little about networking, so creating my own configs kinda go over my head. TBH i could appreciate any source material that helps me understand how networking works (i will build my own home server sometime soon so it would still be appreciated)

Xyne · 2018-06-24 00:23:53

bbaserdem wrote:

My laboratory has an internal network that blocks torrenting.

So you are asking us to help you circumvent your laboratory's network policy. If you had a legitimate reason for doing this then you could petition the system administrator to change the policy. If not, then you should probably rethink the appropriation of the lab's resources for your own personal gain and ask yourself why they impose such a policy to begin with.

I suspect that you want to torrent at work to benefit from a greater bandwidth than you have at home. In that case, what is the endpoint of the VPN? If it is a home server then that would just be a waste of bandwidth as all the data would pass through your home connection, which would act as a network bottleneck negating the higher bandwidth of the lab. In that case, you could just run the torrent client directly on the home server and access the files via ssh or any other file transfer utility.

If you are using a third-party VPN to torrent, then I suspect that it is to hide illegal activity, and I doubt that it is related to civil political dissidence. In that case, you should probably rethink breaking the law at the lab, especially if you need help configuring your vpn to hide your illegal activity. Even if you manage to set it up correctly, a competent system administrator is going to notice someone using a vpn, especially if you are using more bandwidth.

Just in case you are actually trying to torrent scientific data that will help advance research for the benefit of mankind, the solution lies in routing. You get disconnected from the internal network because the vpn by default tunnels all connections through the vpn. You need to add an entry in the routing table to bypass the VPN for all access to the local network, which you can do via openvpn's configuration iirc. If you want everything except for the torrent connections to pass through the local network then you need to remove the default route through the vpn and either configure netfilter to direct the torrent packets through the vpn or configure your torrent client to bind only to the vpn interface (usually easier, if possible).

thoss · 2018-06-24 01:21:38

You should still be able to access local network resources without split tunneling.

bbaserdem · 2018-06-24 15:18:01

Xyne wrote:

So you are asking us to help you circumvent your laboratory's network policy. If you had a legitimate reason for doing this then you could petition the system administrator to change the policy. If not, then you should probably rethink the appropriation of the lab's resources for your own personal gain and ask yourself why they impose such a policy to begin with.
I suspect that you want to torrent at work to benefit from a greater bandwidth than you have at home. In that case, what is the endpoint of the VPN? If it is a home server then that would just be a waste of bandwidth as all the data would pass through your home connection, which would act as a network bottleneck negating the higher bandwidth of the lab. In that case, you could just run the torrent client directly on the home server and access the files via ssh or any other file transfer utility.
If you are using a third-party VPN to torrent, then I suspect that it is to hide illegal activity, and I doubt that it is related to civil political dissidence. In that case, you should probably rethink breaking the law at the lab, especially if you need help configuring your vpn to hide your illegal activity. Even if you manage to set it up correctly, a competent system administrator is going to notice someone using a vpn, especially if you are using more bandwidth.

Although i do use it for some illegal activities on my own home network, i would not ever do such a thing on my labs network. I'm just trying to share data with a couple labs interested in my research. (I'm familiar with torrenting, that is why i suggested we use protocol in the first place and the response was positive.) The sysadmins at the lab are a pain in the neck to deal with, my group still has a war against them cycling the ip addresses of our servers every year, so for political reasons I don't think this route would be fruitful.

Xyne wrote:

Just in case you are actually trying to torrent scientific data that will help advance research for the benefit of mankind, the solution lies in routing. You get disconnected from the internal network because the vpn by default tunnels all connections through the vpn. You need to add an entry in the routing table to bypass the VPN for all access to the local network, which you can do via openvpn's configuration iirc. If you want everything except for the torrent connections to pass through the local network then you need to remove the default route through the vpn and either configure netfilter to direct the torrent packets through the vpn or configure your torrent client to bind only to the vpn interface (usually easier, if possible).

Thank you! I want all network to go to local. I have the line `route-noexec` in my openvpn configuration, but unsure how to configure the nftables.conf for the routing of the packets. I do admit it is simpler (but harder) for me to carry the data in a hard drive home and do the sharing on my home computer. All guides detail using iptables, but even then i dont understand much what the rules mean; so it kinda goes over my head.

thoss wrote:

You should still be able to access local network resources without split tunneling.

I can, but im bottlenecked with the speed of my home network. (I'm VPNing into there) I cant use the lab speed to do browsing, which becomes a pain.

ewaller · 2018-06-24 15:32:27

bbaserdem wrote:

Although i do use it for some illegal activities on my own home network, i would not ever do such a thing on my labs network. I'm just trying to share data with a couple labs interested in my research. (I'm familiar with torrenting, that is why i suggested we use protocol in the first place and the response was positive.) The sysadmins at the lab are a pain in the neck to deal with, my group still has a war against them cycling the ip addresses of our servers every year, so for political reasons I don't think this route would be fruitful.

The legality of what you are think you are trying to do is not relevant. And, you may not be correct.

Fist and foremost; it is not your network; it is your lab's network. They have a policy in place. It sucks. It is the policy. If you have a valid use case, make a case for an exception. The lab owns the data you are trying to exfiltrate, they may not respond well if they where to discover you had built a shadow network for the purpose of exporting said data. Maybe they have a legal/ethical/moral requirement to track the data and where they go. Maybe they are concerned about the infiltration of other lab's data into your systems. Data they do not have a legal right to. They have a legal/moral/ethical requirement to not permit the misuse of such data. And they have the right to know what data are on their network.

This does not even address the security holes you are punching in their firewall. Nor does it address the lab's liability for when your torrent gets hacked and becomes a repository for kiddie porn without your knowledge,

I state this in all sincerity, consider carefully whether you are making a career limiting decision. I have seen people get walked out for much les

https://arstechnica.com/tech-policy/201 … s-of-data/
https://computerfraud.us/computer-crime … data-theft
https://corporate.findlaw.com/corporate … laims.html
https://www.mishcon.com/news/publicatio … d_07__2016

Last edited by ewaller (2018-06-24 15:50:35)

bbaserdem · 2018-06-24 16:40:55

ewaller wrote:

bbaserdem wrote:
Although i do use it for some illegal activities on my own home network, i would not ever do such a thing on my labs network. I'm just trying to share data with a couple labs interested in my research. (I'm familiar with torrenting, that is why i suggested we use protocol in the first place and the response was positive.) The sysadmins at the lab are a pain in the neck to deal with, my group still has a war against them cycling the ip addresses of our servers every year, so for political reasons I don't think this route would be fruitful.
The legality of what you are think you are trying to do is not relevant. And, you may not be correct.
Fist and foremost; it is not your network; it is your lab's network. They have a policy in place. It sucks. It is the policy. If you have a valid use case, make a case for an exception. The lab owns the data you are trying to exfiltrate, they may not respond well if they where to discover you had built a shadow network for the purpose of exporting said data. Maybe they have a legal/ethical/moral requirement to track the data and where they go. Maybe they are concerned about the infiltration of other lab's data into your systems. Data they do not have a legal right to. They have a legal/moral/ethical requirement to not permit the misuse of such data. And they have the right to know what data are on their network.
This does not even address the security holes you are punching in their firewall. Nor does it address the lab's liability for when your torrent gets hacked and becomes a repository for kiddie porn without your knowledge,
I state this in all sincerity, consider carefully whether you are making a career limiting decision. I have seen people get walked out for much les

https://arstechnica.com/tech-policy/201 … s-of-data/
https://computerfraud.us/computer-crime … data-theft
https://corporate.findlaw.com/corporate … laims.html
https://www.mishcon.com/news/publicatio … d_07__2016

Thank you for your reply. The legality of sharing is not in question, so no worries. I am a graduate student; thats my research. I am legally allowed to share my data generated on the labs resources, went through a course on that.

I do understand that it is breaching the allowed data usage. And i would be concerned with accidentally causing security risks; since I obviously dont know the full inplications of what im doing. Thanks for scaring me off a bit. I think ill go with carrying the data on a hard disk (i know i can do, i have done it before to share data, and got confirmation for it from my PI) and then sharing it with potential collaborators through some means on my home network. (bittorrent is obviously my goto for big files, but ill check around)

progandy · 2018-06-24 17:22:54

Since you are only trying to share and not download, then how about offering them on a webserver and then add them to a torrent as a webseed? As the original source, you have to store and distribute the whole file anyways.

Last edited by progandy (2018-06-24 17:25:38)

Arch Linux

#1 2018-06-23 23:03:59

Trying to setup split tunnel VPN using OpenVPN

#2 2018-06-24 00:23:53

Re: Trying to setup split tunnel VPN using OpenVPN

#3 2018-06-24 01:21:38

Re: Trying to setup split tunnel VPN using OpenVPN

#4 2018-06-24 15:18:01

Re: Trying to setup split tunnel VPN using OpenVPN

#5 2018-06-24 15:32:27

Re: Trying to setup split tunnel VPN using OpenVPN

#6 2018-06-24 16:40:55

Re: Trying to setup split tunnel VPN using OpenVPN

#7 2018-06-24 17:22:54

Re: Trying to setup split tunnel VPN using OpenVPN

Board footer