Re: NM and IETF MIF working group

From: Stjepan Groš <stjepan gros fer hr>
To: networkmanager-list gnome org
Subject: Re: NM and IETF MIF working group
Date: Thu, 1 Oct 2015 10:08:17 +0200

On 28.09.2015 13:11, Xen wrote:

Just want to say that I have been trying (in OpenSUSE) to get a rather simple scenario working, but failed, probably due to kernel mechanics:

- main connection receives all traffic destined for port 80, 443.
- VPN receives all else.

I just consider it a more special case of directing VPN traffic to only the VPN network (no forwarding/routing at the end node).

It required a few simple steps:
- tag (SYN) packages for 80,443 with a mark
- use the fwmark as an iproute rule
- the rule sends the traffic to a different routing table

Unfortunately although the routing seems to work, the traffic gets returned but not progressed by the kernel apparently due to some blocking or safety measure. I could not get around it, though I tried everything I could find on the web.

A fourth step that may be required is:
- snat the outgoing packages to match the interface they are now sent out on (meaning to match its ip address) such that a reverse route will coincide with the outgoing route that the kernel/routing system has chosen for the outgoing packets.

I thought it was going to be a simple thing to setup and though I spent easily 4-5 hours on it, I could not get it to work.

Perhaps if this seems an interesting or important use case, someone who is more knowledgeable than me could look into it? It seems rather... that it would look really bad on Linux if this common use case is a near impossibility due to kernel mechanics or security measures, or whatever else is causing it. Not sure how else to phrase it. I mean that it would not be a selling point, that sort of stuff.

You could even integrate it into NM if it did work. "Route only selected ports over this VPN" or "Route everything except selected ports over this VPN". Would really be awesome.

Just wanted to say that.

What kind of VPN do you use? OpenVPN, IPsec?

In case it is OpenVPN or some similar VPN that creates a new virtual interface, the easiest solution would be:

1. Create new network namespace
2. Move VPN interface into this namespace and "fix" routing
3. Start applications (e.g. firefox, terminal) that should access VPN in the given namespace.

SG

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]