You are not logged in.

#1 2020-09-05 10:32:38

issues
Member
Registered: 2020-09-05
Posts: 9

static routes, variable gateway/network

I'm using openvpn and I'm using default route via the vpn.
However, there are some IP's I'd like to NOT route through the vpn. I solve this by adding static routes, which is ok while I'm at home where the IP of the router is the same every day.
However, when traveling and connecting to other networks, the IP of the router for which I want these static routes to go via is different for most networks. I'll need to lookup the default route before connecting the vpn, and put this into my static route scripts, and then connect the vpn, and run the script. Is there a way to automate this other than make a script parse the output of 'ip route' before connecting?

To make this even more complicated, I'm connecting in several different ways - mostly wifi (where most networks have different names, but some does actually have the same name), ethernet cable in pc, ethernet cable in docking station and usb-tether.

Offline

#2 2020-09-05 11:25:23

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 8,380

Re: static routes, variable gateway/network

You can assign a static route to an interface instead of a next hop ip address.

Check https://www.computernetworkingnotes.com … mples.html

Assuming your vpn uses its own interface you would no longer have to deal with different network names and subnets, just selecting the correct interface.


Multi-init booting with apg Openrc and systemd coexisting
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#3 2020-09-05 12:46:20

issues
Member
Registered: 2020-09-05
Posts: 9

Re: static routes, variable gateway/network

Really. How would that work?

Assumed my eth0 got the address 192.168.21.21/24 from DHCP, gateway 192.168.21.254
Then I connect the vpn, which set default route via 10.0.0.1
Then I run

ip route add 1.2.3.0/24 dev eth0

Now I cannot access 1.2.3.1, simply because there is nothing that tells the system that the route should go via 192.168.21.254. What did I miss?

Offline

#4 2020-09-05 13:19:05

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 8,380

Re: static routes, variable gateway/network

- this will only work IF the vpn uses its own interface (many vpns do that, but some takeover an existing interface completely) .

ip link show before and after the vpn is up should help to verify your vpn uses its own network interface.

- ethernet devices always should know who their neigbors are and what networks those are connected to.
Basically every ethernet device has its own routing table.

run ip route list dev network_interface for every interface shown in ip link to see what routes your network devices know.


Multi-init booting with apg Openrc and systemd coexisting
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#5 2020-09-05 14:30:05

issues
Member
Registered: 2020-09-05
Posts: 9

Re: static routes, variable gateway/network

It's using it's own interface.
I think maybe you missed the my question. I want everything to go through the vpn, with a few exceptions.
The other way around - just a few routes through the vpn - can be done the way you suggest.

Offline

#6 2020-09-05 22:53:54

issues
Member
Registered: 2020-09-05
Posts: 9

Re: static routes, variable gateway/network

It seems to be a possible workaround to create a bridge interface, then run all programs that should route trough vpn in a firejail using the bridge as network interface in the jail, and finally setup some source- or policy based routing for packets coming from the bridge to go trough the vpn.
It seems somewhat complicated thou

Offline

#7 2020-09-08 21:12:57

Koatao
Member
Registered: 2018-08-30
Posts: 24

Re: static routes, variable gateway/network

Hi,

It seems indeed complicated.

Have you looked into OpenVPN client abilities to do split tunneling ?

its config files allows you to set up specific route when you use it:

route a.d.d.r m.a.s.k net_gateway

It is described in the manual of openvpn (seek net_gateway to find the relevant part).

Offline

#8 2020-09-11 17:53:33

issues
Member
Registered: 2020-09-05
Posts: 9

Re: static routes, variable gateway/network

As I understand OpenVpn split tunneling it's a way to set static routes in the openvpn config. It's basically the same as running a script to set static routes after vpn connect. This way will have exactly the same problem as described in initial post of this thread: It's easy to do if you want a few routes over vpn while most routes goes outside the vpn. But it's very complicated if you want a few routes outside the vpn while most routes goes inside the vpn AND you move the PC around to different networks.

I see 3 ways to solve this. None of them are good.
1) Use firejail as described above.
2) Keep default route as provided from DHCP, then set static routes for all subnets not wanted outside the vpn. This requires a crazy amount of active static routes (set via script or vpn config).
3) Set default route via vpn, and static routes via a bunch of possible router addresses. This requires a even larger routing table, but they not that many active routes at any given time.

Example of what those three solutions requires

*1: To run each program in a firejail. I'm not experienced with firejail. It sounds complicated 
to me, but might not be if I just get familiar with it

*2 To route everything through the vpn except for the subnets 20.20.20.0/24 and 
150.150.0.0/16 it requires all of these subnets routed via tun0:
0.0.0.0/4 , 16.0.0.0/6 , 20.0.0.0/12 , 20.16.0.0/14 , 20.21.0.0/16 , 20.22.0.0/15 , 20.24.0.0/13 , 
20.32.0.0/11 , 20.64.0.0/10 , 20.128.0.0/9 , 21.0.0.0/8 , 22.0.0.0/7 , 24.0.0.0/5 , 32.0.0.0/3 , 
64.0.0.0/2 , 128.0.0.0/4 , 144.0.0.0/6 , 148.0.0.0/7 , 150.0.0.0/9 , 150.128.0.0/12 , 
150.144.0.0/14 , 150.148.0.0/15 , 150.151.0.0/16 , 150.152.0.0/13 , 150.160.0.0/11 , 
150.192.0.0/10 , 151.0.0.0/8 , 152.0.0.0/5 , 160.0.0.0/3 , 192.0.0.0/2

*3 To work with all the networks I've visited over the past 2 weeks, these static routes would need to be set:
20.20.20.0/24 via 192.168.0.1
150.150.0.0/16 via 192.168.0.1
20.20.20.0/24 via 192.168.1.1
150.150.0.0/16 via 192.168.1.1
20.20.20.0/24 via 192.168.5.250
150.150.0.0/16 via 192.168.5.250
20.20.20.0/24 via 192.168.8.1
150.150.0.0/16 via 192.168.8.1
20.20.20.0/24 via 192.168.9.1
150.150.0.0/16 via 192.168.9.1
20.20.20.0/24 via 192.168.21.1
150.150.0.0/16 via 192.168.21.1
20.20.20.0/24 via 192.168.30.1
150.150.0.0/16 via 192.168.30.1
20.20.20.0/24 via 192.168.39.1
150.150.0.0/16 via 192.168.39.1
20.20.20.0/24 via 192.168.42.129
150.150.0.0/16 via 192.168.42.129
20.20.20.0/24 via 192.168.127.1
150.150.0.0/16 via 192.168.127.1
20.20.20.0/24 via 192.168.168.1
150.150.0.0/16 via 192.168.168.1
20.20.20.0/24 via 10.0.0.138
150.150.0.0/16 via 10.0.0.138

So, after all, maybe the firejail way is not that bad.

Last edited by issues (2020-09-11 17:57:38)

Offline

#9 2020-09-12 09:13:19

Koatao
Member
Registered: 2018-08-30
Posts: 24

Re: static routes, variable gateway/network

issues wrote:

As I understand OpenVpn split tunneling it's a way to set static routes in the openvpn config. It's basically the same as running a script to set static routes after vpn connect. This way will have exactly the same problem as described in initial post of this thread: It's easy to do if you want a few routes over vpn while most routes goes outside the vpn. But it's very complicated if you want a few routes outside the vpn while most routes goes inside the vpn AND you move the PC around to different networks.

Maybe I'm misunderstanding what you want to do but I don't see why it is more complicated, from an OpenVPN's point of view, it does not matter. Why can't you do something like that:
- Route everything by default through the VPN (OpenVPN creates a default route and two others route with a 1 bit mask to ensure everything is correctly routed through it).
- Route specific subnets through net_gateway (via OpenVPN config file).

net_gateway -- The pre-existing IP default gateway, read from the routing table (not  supported  on all OSes).

The way I see it, it helps you not to care about what is your pre-existing default gateway is, since OpenVPN will handle that part and this was your problem, right ?
It basically achieves the same thing than your third solution. But works with new default gateway IP addresses automatically and does not end up in and endless list of routes.

Offline

#10 2020-09-13 02:43:12

issues
Member
Registered: 2020-09-05
Posts: 9

Re: static routes, variable gateway/network

Ah. I've missed that one! That seems to solve the problem. How is it used? Could it be referred to as $net_gateway variable in the --up script file?

Offline

#11 2020-09-13 09:29:42

issues
Member
Registered: 2020-09-05
Posts: 9

Re: static routes, variable gateway/network

In the up-script I have access to $dev variable - it holds the value of the created tun interface. So using variables in up script works.
But $net_gateway is empty.

I guess the best workaround is to do "ip route |grep default" before starting openvpn. Then have that output parsed in the up script

Offline

#12 2020-09-13 14:02:56

Koatao
Member
Registered: 2018-08-30
Posts: 24

Re: static routes, variable gateway/network

Sorry, I don't know about the «--up» script.

To set route with OpenVPN, you can either:
- add it as argument to your openvpn cmd:

 openvpn --config file.ovpn --route 8.8.8.8 255.255.255 net_gateway

- add it to the config file (.ovpn):

route 8.8.8.8 255.255.255.255 net_gateway
issues wrote:

In the up-script I have access to $dev variable - it holds the value of the created tun interface. So using variables in up script works.
But $net_gateway is empty.

I guess the best workaround is to do "ip route |grep default" before starting openvpn. Then have that output parsed in the up script

Well, as long as you have only have one default route returned, it should work. You can even avoid grep by using something like:

ip route show to default protocol dhcp

But I'm unsure why it is better to rely on a post-up script (which mean you need a post-down) to do the exact same thing that OpenVPN could do. I would write a .ovpn config file if it does not already exists.

Another idea of workaround, If you use systemd-resolved, you can also resolve _gateway as stated in the manual:

The hostname "_gateway" is resolved to all current default routing gateway addresses, ordered by their metric. This assigns a stable hostname to the current gateway, useful for referencing it independently of the current network configuration state.

Last edited by Koatao (2020-09-13 14:04:16)

Offline

Board footer

Powered by FluxBB