Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Multiple default gateway for WAN and VPN
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
akabane
n00b
n00b


Joined: 26 Mar 2011
Posts: 8

PostPosted: Sat Mar 26, 2011 11:05 pm    Post subject: Multiple default gateway for WAN and VPN Reply with quote

Hello,

I would like to use a VPN to tunnel all traffic that is going on my apache server.
I already setup the openvpn client and server and it's working great but I can not figure how to tell apache to use the VPN gateway and all the others traffic to use my WAN gateway.
For the moment when I use the VPN all all my traffic is going though it, I would like to tunnel only apache server traffic.

Is it possible under gentoo to do that ? and how ?

I read some people achieve to do that with setfib under freebsd (http://forums.freebsd.org/archive/index.php/t-3149.html), is there any equivalent to this tool under gentoo ?
Or can I achieve that with iptables and/or ip route ?

Thanks in advance for yours answers !
Back to top
View user's profile Send private message
Yuu
Apprentice
Apprentice


Joined: 23 Dec 2008
Posts: 223
Location: France

PostPosted: Sat Mar 26, 2011 11:41 pm    Post subject: Reply with quote

Hi and welcome akabane,

Well, everything is possible with Gentoo :D !

So, if I understand this well, I think you should not set the default route your VPN's gateway, but to your standard LAN gateway. With this kind of setup, only your WAN connection will be used : because you don't want that all applications to use your VPN interface. So, don't use the default in your route add default via $VPN_GATEWAY dev tun0.

Then, you should tell apache to listen only on the VPN interface, with something like Listen 10.1.2.3.80 where 10.1.2.3 is your IP inside the VPN (see ifconfig <VPN interface name>).

And as I'm not really an expert on network related topics, I'll let the professionnals reply about the technical details.

Nevertheless, good luck ;)
_________________
Main laptop : T8300 cpu | 200 GB hard drive | 2 GB of ram | 8600M GT | Gentoo x86_64
Server : Celeron 220 cpu | 250 GB hard drive | 2 GB of ram | SiS 662 VGA | Gentoo x86_64
Back to top
View user's profile Send private message
akabane
n00b
n00b


Joined: 26 Mar 2011
Posts: 8

PostPosted: Sun Mar 27, 2011 9:09 am    Post subject: Reply with quote

Yuu wrote:
Hi and welcome akabane,

Well, everything is possible with Gentoo :D !

So, if I understand this well, I think you should not set the default route your VPN's gateway, but to your standard LAN gateway. With this kind of setup, only your WAN connection will be used : because you don't want that all applications to use your VPN interface. So, don't use the default in your route add default via $VPN_GATEWAY dev tun0.

Then, you should tell apache to listen only on the VPN interface, with something like Listen 10.1.2.3.80 where 10.1.2.3 is your IP inside the VPN (see ifconfig <VPN interface name>).

And as I'm not really an expert on network related topics, I'll let the professionnals reply about the technical details.

Nevertheless, good luck ;)


First of all, thanks for your answer.

I confirm you clearly understood my problem. I already tried what you suggested but with no luck :
- I made apache listen only on my tun0 interface.
- I let my default route to the WAN gateway address.

But when a client connect to the apache server, it answer by using the interface tied to the default route and not my tun0 interface.
I think I should define 1 default route for my WAN and 1 default route for my VPN but I can not manage to do it : the first default route found in routing table is always taken (which is in my point of view logical).

Under freebsd you can use 2 routing tables (one for WAN and one for VPN) and tell your program which table to used with the setfib tool.
Maybe a workaround is to make routing decision depending of the port used ? But I do not know if is it possible ... I'm currently investigating iproute2 tool for that.

I really need that setup and I do not want to be forced to switch to freebsd only for that.
I hope one gentoo network expert will be able to help me :)


Last edited by akabane on Sun Mar 27, 2011 9:12 am; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16043

PostPosted: Sun Mar 27, 2011 4:55 pm    Post subject: Reply with quote

Where is the client which initiates the connection to the Apache? Is it on the far end of the VPN? If yes, then the problem is likely that the VPN has not installed routes for all the addresses it exposes to you. For instance, it may have connected you to a 10.0.0.0/8 network, but only installed a /24 route. Could you show the output of ip r; ip a as seen from the server? You can obscure your WAN IP if you want.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum