Arch Linux

san

Member

Registered: 2021-10-31

Posts: 2

Tunnel traffic to specific hosts (only) via VPN

For work I need access to specific websites for documentation, SDKs and what not. The access is restricted to whitelisted IPs which include our office. However with the working from home situation I'm often falling back to a remote desktop session into a machine at the office, and browse the website there.

Given that I'm already connected to my work via VPN (using fortissl) I was wondering if I might be able to tunnel any traffic to this specific website (or perhaps a range of IPs) over the VPN so I can browse them directly from my local browser. I prefer not to tunnel all my traffic over VPN, just the resources on the VPN and this external website.

So far I've read up on route option of network-manager and as far as I can tell seem to be in line with what I want to achieve. Unfortunately I've never been able to make this work. I've been using the GUI in KDE Plasma. The result is the same as when I try to access the URL without VPN, an error message from the webserver showing an error message with something along the lines of "your IP does not have access to this website".

Would this setup be possible, and if so, can you point me to any documentation/examples on how to set this up?

Thanks!
san

Koatao

Member

Registered: 2018-08-30

Posts: 105

Re: Tunnel traffic to specific hosts (only) via VPN

Hello,

What you want to do is called «split tunneling».

What is the VPN client exactly?

I believe you can do it with openfortivpn by setting the correct options (like --no-routes) and setting up needed routes yourself with a script (or by leveraging pppd features) afterward.

I don't know how to do it with NetworkManager, might be possible though.

For what it worth, I believe corporate computers should fully stay on corporate VPN. Besides reducing the network load, I don't see reasons to do otherwise.

Last edited by Koatao (2021-12-01 19:07:21)

progandy

Member

Registered: 2012-05-17

Posts: 5,304

Re: Tunnel traffic to specific hosts (only) via VPN

If you use the fortisslvpn plugin for networkmanager you can probably enable "Use this connection only for resources on its network", disable automatic routes generation and add manual routes. (I do not have NM installed here)

You might get problems if the restricted domains resolve to different IPs with your public resolver than the one your company provides. In that case add entries to /etc/hosts with the correct IPs (and add routes for them in your VPN config)

Maybe your VPN endpoint does not allow forwarding of internet traffic, though. (I believe that should result in a connection error if the routes are set up correctly, though. Not an error page about missing authorization)

Last edited by progandy (2021-12-01 20:11:43)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |

san

Member

Registered: 2021-10-31

Posts: 2

Re: Tunnel traffic to specific hosts (only) via VPN

@Koatao, thanks for the reply!

What you want to do is called «split tunneling».

Split tunneling is what I'm using already. Resources on the office network itself, such as build servers and private network shares, flow through VPN, the regular internet traffic does not. This is by intent.

What is the VPN client exactly?

The VPN client I'm using is `fortisslvpn` (AUR and GitHub).

I believe you can do it with openfortivpn by setting the correct options (like --no-routes) and setting up needed routes yourself with a script (or by leveraging pppd features) afterward.
I don't know how to do it with NetworkManager, might be possible though.

I'll look into that no routing as that is what @progandy suggested as well. Thanks.

@progandy, thanks for your help as well!

You might get problems if the restricted domains resolve to different IPs with your public resolver than the one your company provides. In that case add entries to /etc/hosts with the correct IPs (and add routes for them in your VPN config)
Maybe your VPN endpoint does not allow forwarding of internet traffic, though. (I believe that should result in a connection error if the routes are set up correctly, though. Not an error page about missing authorization)

I could get connection errors while messing with manual routing. Double checked with our IT staff if we actually allow for forwarding, and the answer was not in the current setup. Now I'll work with them to see if this is possible with SSLVPN (we have something in place for IPSEC).

Both thanks for your time to reply and the useful pointers. Much appreciated!
.san

Last edited by san (2021-12-07 20:07:26)