This is probably going to end up being a dumb question, but I am out of ideas:
The situation is that I want to connect to multiple OpenVPN servers and then be able to open sockets going through any of the VPN connections by bind()-ing on the TUN-device's local IP address.
The thing is I can't let OpenVPN add routes, because the server is PUSHing a request to set up a default route - I don't want normal traffic to go through any of the VPNs/TUN devices.
So let's say OpenVPN sets up a TUN POINTOPOINT device with the local IP of 10.10.11.6 and a remote IP of 10.10.11.5. Aside from the default route the following routes would be added:
the default route(s) would have been going out over 10.10.11.5, too:
Now my understanding is that I would not need any of the routes if I were to bind() my socket to the TUN device's local ip (.6).
As a testcase I have a "netcat -v -v -l -p 12345" running on a remote server and try to connect to it with "telnet -b 10.10.11.6 <server> 12345".
The first case is the above two routes plus the default route(s) and everything works, the server receives the connection from the VPN's endpoint. But I wouldn't need the bind() for that due to the default routes.
Now the second case, the one I want, is just the first two routes without the default route. Nothing arrives at the server and checking with wireshark tells me that the packets are not going through the TUN device but instead get sent directly through the default ethernet device, with a source IP of 10.10.11.6. Obviously that won't work because 10.10.11.6 is not a public IP.
It's as if the bind() is completely ignored and I have no idea anymore how to accomplish this without the default routes (in which case I can't have multiple VPN connections). This is my understanding of things:
- the routing table is only used for outgoing packets
- OpenVPN handles the "wire-side" of the TUN device, rewriting and packaging packets in the SSL VPN stream and then sending them off over the public ethernet device, and also receiving responses and unpackaging them and then writing them into the TUN device
- bind()-ing a socket to a IP should make the packets go through the associated network device (in this case the TUN device) if it is successful.
I hope these are all the necessary details. I must be misunderstanding some things about the effect of the routing rules, hopefully someone can figure out where my path of thought goes wrong and enlighten me or if there is some other way to accomplish what I want.
|# ¿ Oct 12, 2011 13:15|
|# ¿ Dec 1, 2020 17:53|
Ninja Rope posted:
On FreeBSD I'd use pf to set next-hop and reply-to based on source IP. On Linux I'd do the same thing with iptables marking packets and ip rule matching them and assigning them a different routing table with a different default gateway set.
Thank you so much! source-based routing was the keyword and using a different routing table works perfectly! This was driving me crazy, thanks again!
|# ¿ Oct 12, 2011 20:15|