VPN but only want to use for certain traffic

Message

Akaihiryuu · Post by **Akaihiryuu** » Wed Aug 30, 2017 10:39 pm

Basically, in my current apartment, I'm not provided with a public IP address. I'm using a VPN service with OpenVPN to get a public IP. However, I only want traffic to/from ports 8022, 8888, 8080, and 8443 on that machine to be routed through the VPN, and I want everything else to use my regular connection. Is there an easy way to do this?

1clue · Post by **1clue** » Wed Aug 30, 2017 10:51 pm

You have two different kinds of http traffic.

You have traffic related to your web server and the static IP, and then you have all the browser traffic from your home. Your VPN endpoint will be accepting http traffic and forwarding it to you, probably on a non-routable ip address, or ipv6 maybe.

Full disclosure: I've never used the sort of service you're talking about. I've configured OpenVPN so my coworkers and I can get into the office, but you're doing something different.

In the former instance the requests are inbound and all going to your public IP, which is going to be translated into some sort of a 10.x.y.z probably. So you set up routes for that and pretty much everything else is taken care of. Make sure your web server box routes all vpn response traffic back through the vpn rather than direct.

Akaihiryuu · Post by **Akaihiryuu** » Wed Aug 30, 2017 11:11 pm

1clue wrote:You have two different kinds of http traffic.

You have traffic related to your web server and the static IP, and then you have all the browser traffic from your home. Your VPN endpoint will be accepting http traffic and forwarding it to you, probably on a non-routable ip address, or ipv6 maybe.

Full disclosure: I've never used the sort of service you're talking about. I've configured OpenVPN so my coworkers and I can get into the office, but you're doing something different.

In the former instance the requests are inbound and all going to your public IP, which is going to be translated into some sort of a 10.x.y.z probably. So you set up routes for that and pretty much everything else is taken care of. Make sure your web server box routes all vpn response traffic back through the vpn rather than direct.

Yeah that's more or less what I want to do. All incoming traffic on those ports is going to come through tun0. Obviously response traffic back out also needs to go over tun0. But I want all other traffic originating on the machine or routing through it to go out through eth1...what do I need to do to do this?

chiefbag · Post by **chiefbag** » Thu Sep 07, 2017 7:56 am

. I'm using a VPN service with OpenVPN to get a public IP.

The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?
I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?
Most services of this nature only provide you with outbound traffic option.

1clue · Post by **1clue** » Thu Sep 07, 2017 1:39 pm

chiefbag wrote:
. I'm using a VPN service with OpenVPN to get a public IP.
The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?
I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?
Most services of this nature only provide you with outbound traffic option.

While I'm definitely NOT a VPN expert, this doesn't make sense.

Web servers are really good at ganging up. Most publicly hosted web servers have lots of domain names all using the same IP address and the same port. The web server is really fast at switching the connection off to some private port.

The way I understand it, the VPN will add significant latency which will make the site seem more sluggish than if it were hosted on a public port right at the site, but it should without lots of ip addresses.

chiefbag · Post by **chiefbag** » Thu Sep 07, 2017 1:49 pm

While I'm definitely NOT a VPN expert, this doesn't make sense.

The way I understand it, the VPN will add significant latency which will make the site seem more sluggish than if it were hosted on a public port right at the site,

The second statement is true, however there may well be valid reasons why the person would want to make a home based server accessible via public ip address, for example they may want to access Internet of Things gadgets etc, ie turn the heating or kettle on.

1clue · Post by **1clue** » Thu Sep 07, 2017 2:26 pm

One possible solution would be to switch from tun to tap. At that point all traffic from the VPN hits your network, and you're responsible at your local vpn endpoint to handle firewall rules.

chiefbag · Post by **chiefbag** » Thu Sep 07, 2017 2:29 pm

EDIT

One possible solution would be to switch from tun to tap. At that point all traffic from the VPN hits your network

That's still based on the assumption that the service the user is using actually routes traffic inbound from the ascribed public ip address.

chiefbag · Post by **chiefbag** » Thu Sep 07, 2017 2:53 pm

Assuming the following case then try the below rule:
1: Your traffic is flowing inbound from the VPN service public ip to tun0 for port 8080
1: webserver is running on 10.10.10.10

Code: Select all

iptables -t nat -I PREROUTING -i tun0 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j DNAT --to-destination 10.10.10.10

1clue · Post by **1clue** » Thu Sep 07, 2017 5:57 pm

I guess this is a little late, but most ISPs allow you to buy a public IP address to facilitate people accessing their home systems from work.

Or you could use dynamic dns?

chiefbag · Post by **chiefbag** » Thu Sep 07, 2017 6:44 pm

I guess this is a little late, but most ISPs allow you to buy a public IP address to facilitate people accessing their home systems from work.

Or you could use dynamic dns?

Some don't even give you a public ip address unless you are a business customer therefor dyndns etc. won't work

I'm in the same situation with my current internet provider, my workaround is that I have an external sever and an IPSec VPN from my home gateway server to the external server, the gateway is configured as a road warrior client.
I can then access from the external server to home.

Let's see if @Akaihiryuu will give us any further info/update?

curmudgeon · Post by **curmudgeon** » Mon Sep 11, 2017 11:38 am

chiefbag wrote:The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?
I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?
Most services of this nature only provide you with outbound traffic option.

Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections?

chiefbag · Post by **chiefbag** » Mon Sep 11, 2017 12:14 pm

Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections?

So you reckon every VPN provider ascribes an individual public ip to each client?

1clue · Post by **1clue** » Mon Sep 11, 2017 4:06 pm

chiefbag wrote:
Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections?
So you reckon every VPN provider ascribes an individual public ip to each client?

I'd be willing to bet that they have multiple clients per ip address. When you login to a corporate VPN it's one IP address and they have potentially thousands of clients. Think IBM.

This configuration is a bit different but I seriously doubt the VPN service has a separate ipv4 address per client. They might have ipv6 configured that way but this whole problem comes from the fact that ipv4 addresses are hard to come by now.

chiefbag · Post by **chiefbag** » Tue Sep 12, 2017 7:12 am

This configuration is a bit different but I seriously doubt the VPN service has a separate ipv4 address per client.

I totally agree.