Incoming/Outgoing seperation for VPN

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
7
down vote

favorite
6












My situation is that I want all my outgoing connections from my Debian server to pass through a commercial VPN service I've subscribed to, but I still want to run public-accessible services on this server, and not have them pass through the VPN.



That is, I have BIND9 (authoritative), SMTP, Apache, SSH etc running on this server, and I want incoming connections to be able to reach these services without using the VPN.



To clarify, I only want to use the VPN to hide my outgoing connections, but still be able to answer requests on my real IP for anything that has come in that way.



To make matters even more complicated—I use BIND as both an authoritative server for my domain (on the public internet), and I also have recursion turned on so I can use it as the resolver for my local network (private ip range). Is it possible to VPN the outgoing DNS connections from BIND but still allow incoming requests to reach the authoritative bit?



I gather this has something to do with iproute2, but I can't figure out the correct config.



I'm on Debian 6.0.7. The VPN is OpenVPN.










share|improve this question



























    up vote
    7
    down vote

    favorite
    6












    My situation is that I want all my outgoing connections from my Debian server to pass through a commercial VPN service I've subscribed to, but I still want to run public-accessible services on this server, and not have them pass through the VPN.



    That is, I have BIND9 (authoritative), SMTP, Apache, SSH etc running on this server, and I want incoming connections to be able to reach these services without using the VPN.



    To clarify, I only want to use the VPN to hide my outgoing connections, but still be able to answer requests on my real IP for anything that has come in that way.



    To make matters even more complicated—I use BIND as both an authoritative server for my domain (on the public internet), and I also have recursion turned on so I can use it as the resolver for my local network (private ip range). Is it possible to VPN the outgoing DNS connections from BIND but still allow incoming requests to reach the authoritative bit?



    I gather this has something to do with iproute2, but I can't figure out the correct config.



    I'm on Debian 6.0.7. The VPN is OpenVPN.










    share|improve this question

























      up vote
      7
      down vote

      favorite
      6









      up vote
      7
      down vote

      favorite
      6






      6





      My situation is that I want all my outgoing connections from my Debian server to pass through a commercial VPN service I've subscribed to, but I still want to run public-accessible services on this server, and not have them pass through the VPN.



      That is, I have BIND9 (authoritative), SMTP, Apache, SSH etc running on this server, and I want incoming connections to be able to reach these services without using the VPN.



      To clarify, I only want to use the VPN to hide my outgoing connections, but still be able to answer requests on my real IP for anything that has come in that way.



      To make matters even more complicated—I use BIND as both an authoritative server for my domain (on the public internet), and I also have recursion turned on so I can use it as the resolver for my local network (private ip range). Is it possible to VPN the outgoing DNS connections from BIND but still allow incoming requests to reach the authoritative bit?



      I gather this has something to do with iproute2, but I can't figure out the correct config.



      I'm on Debian 6.0.7. The VPN is OpenVPN.










      share|improve this question















      My situation is that I want all my outgoing connections from my Debian server to pass through a commercial VPN service I've subscribed to, but I still want to run public-accessible services on this server, and not have them pass through the VPN.



      That is, I have BIND9 (authoritative), SMTP, Apache, SSH etc running on this server, and I want incoming connections to be able to reach these services without using the VPN.



      To clarify, I only want to use the VPN to hide my outgoing connections, but still be able to answer requests on my real IP for anything that has come in that way.



      To make matters even more complicated—I use BIND as both an authoritative server for my domain (on the public internet), and I also have recursion turned on so I can use it as the resolver for my local network (private ip range). Is it possible to VPN the outgoing DNS connections from BIND but still allow incoming requests to reach the authoritative bit?



      I gather this has something to do with iproute2, but I can't figure out the correct config.



      I'm on Debian 6.0.7. The VPN is OpenVPN.







      debian networking dns vpn






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 28 '13 at 17:11









      Kazark

      5902829




      5902829










      asked Feb 28 '13 at 16:28









      lloydsmart

      383




      383




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          5
          down vote



          accepted










          You should use policy routing to implement this. The rules won't be too complicated.



          Your (main) default route should point toward the VPN interface. You'll probably use OpenVPN's --redirect-gateway def1 option to have this managed automatically for you when the VPN comes up. It makes OpenVPN override the system default route with a couple of /1 routes that have the same effect and makes sure OpenVPN itself can still reach its remote peer in the normal way without the obvious routing loop.



          This default route will make locally originated traffic go out through the VPN and it will also make replies to traffic that came in through the VPN go out the VPN.



          Now you want to override this with a policy rule for packets that are associated with connections that came in on the non-VPN interface. You want to make those packets go back out through the non-VPN interface.



          The following should accomplish this by (1) matching packets that have the non-VPN public IP address as a source address and asking those to be routed via a different routing table, (2) in that routing table, sending everything to your original (non-VPN) default route.



          ip route add table 42 default via X.Y.Z.W
          ip rule add from A.B.C.D/32 table 42


          A.B.C.D should be your public (non-VPN) IP address, and X.Y.Z.W should be your original system default route (through your ISP, not through your VPN).



          The similar config for IPv6 traffic is left as an exercise for you :-)






          share|improve this answer




















          • Nice! This did the trick. Thanks for your help!
            – lloydsmart
            Feb 28 '13 at 17:58










          • Follow-up question: Is there any way to configure my SMTP server (Postfix in this case) to use the non-VPN route? I mean for both incoming and outgoing. Perhaps a way to make all port-25 traffic go non-VPN? Thanks!
            – lloydsmart
            Feb 28 '13 at 18:03










          • I think it might do that already if you simply make Postfix bind to the non-VPN address instead of to the wildcard (default) address. That is, try changing smtp inet in /etc/postfix/master.cf to A.B.C.D:smtp inet.
            – Celada
            Feb 28 '13 at 18:20










          • Thanks - that was the basic idea, but as it turns out the actual configuration for getting Postfix to bind to the correct address is in main.cf, using the option "smtp_bind_address = A.B.C.D". Props to this page for the answer: faqforge.com/tag/smtp_bind_address
            – lloydsmart
            Feb 28 '13 at 19:45











          • I tried these instructions on a machine that is behind a router on a LAN. For A.B.C.D, I used the machine's LAN IP (not the external IP) and for X.Y.Z.W, I used the router's address. This worked for external connections. I could now ssh to my machine from the outside world, and connections originating from my machine would go through the VPN. However, I am now unable to connect from another computer on my network to the machine via ssh (but I can if going through the external internet). How do the instructions need to be modified to work on a machine behind a network router?
            – Daniel S.
            Mar 22 '14 at 20:43


















          up vote
          0
          down vote














          A.B.C.D should be your public (non-VPN) IP




          Is this the wan ip ? could i use an dynamic address for the wan ip that i have an none changing one ?



          My constellation is simple its an raspberry connected over lan to an inet-router



          best regards





          share








          New contributor




          johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.

















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f66426%2fincoming-outgoing-seperation-for-vpn%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            5
            down vote



            accepted










            You should use policy routing to implement this. The rules won't be too complicated.



            Your (main) default route should point toward the VPN interface. You'll probably use OpenVPN's --redirect-gateway def1 option to have this managed automatically for you when the VPN comes up. It makes OpenVPN override the system default route with a couple of /1 routes that have the same effect and makes sure OpenVPN itself can still reach its remote peer in the normal way without the obvious routing loop.



            This default route will make locally originated traffic go out through the VPN and it will also make replies to traffic that came in through the VPN go out the VPN.



            Now you want to override this with a policy rule for packets that are associated with connections that came in on the non-VPN interface. You want to make those packets go back out through the non-VPN interface.



            The following should accomplish this by (1) matching packets that have the non-VPN public IP address as a source address and asking those to be routed via a different routing table, (2) in that routing table, sending everything to your original (non-VPN) default route.



            ip route add table 42 default via X.Y.Z.W
            ip rule add from A.B.C.D/32 table 42


            A.B.C.D should be your public (non-VPN) IP address, and X.Y.Z.W should be your original system default route (through your ISP, not through your VPN).



            The similar config for IPv6 traffic is left as an exercise for you :-)






            share|improve this answer




















            • Nice! This did the trick. Thanks for your help!
              – lloydsmart
              Feb 28 '13 at 17:58










            • Follow-up question: Is there any way to configure my SMTP server (Postfix in this case) to use the non-VPN route? I mean for both incoming and outgoing. Perhaps a way to make all port-25 traffic go non-VPN? Thanks!
              – lloydsmart
              Feb 28 '13 at 18:03










            • I think it might do that already if you simply make Postfix bind to the non-VPN address instead of to the wildcard (default) address. That is, try changing smtp inet in /etc/postfix/master.cf to A.B.C.D:smtp inet.
              – Celada
              Feb 28 '13 at 18:20










            • Thanks - that was the basic idea, but as it turns out the actual configuration for getting Postfix to bind to the correct address is in main.cf, using the option "smtp_bind_address = A.B.C.D". Props to this page for the answer: faqforge.com/tag/smtp_bind_address
              – lloydsmart
              Feb 28 '13 at 19:45











            • I tried these instructions on a machine that is behind a router on a LAN. For A.B.C.D, I used the machine's LAN IP (not the external IP) and for X.Y.Z.W, I used the router's address. This worked for external connections. I could now ssh to my machine from the outside world, and connections originating from my machine would go through the VPN. However, I am now unable to connect from another computer on my network to the machine via ssh (but I can if going through the external internet). How do the instructions need to be modified to work on a machine behind a network router?
              – Daniel S.
              Mar 22 '14 at 20:43















            up vote
            5
            down vote



            accepted










            You should use policy routing to implement this. The rules won't be too complicated.



            Your (main) default route should point toward the VPN interface. You'll probably use OpenVPN's --redirect-gateway def1 option to have this managed automatically for you when the VPN comes up. It makes OpenVPN override the system default route with a couple of /1 routes that have the same effect and makes sure OpenVPN itself can still reach its remote peer in the normal way without the obvious routing loop.



            This default route will make locally originated traffic go out through the VPN and it will also make replies to traffic that came in through the VPN go out the VPN.



            Now you want to override this with a policy rule for packets that are associated with connections that came in on the non-VPN interface. You want to make those packets go back out through the non-VPN interface.



            The following should accomplish this by (1) matching packets that have the non-VPN public IP address as a source address and asking those to be routed via a different routing table, (2) in that routing table, sending everything to your original (non-VPN) default route.



            ip route add table 42 default via X.Y.Z.W
            ip rule add from A.B.C.D/32 table 42


            A.B.C.D should be your public (non-VPN) IP address, and X.Y.Z.W should be your original system default route (through your ISP, not through your VPN).



            The similar config for IPv6 traffic is left as an exercise for you :-)






            share|improve this answer




















            • Nice! This did the trick. Thanks for your help!
              – lloydsmart
              Feb 28 '13 at 17:58










            • Follow-up question: Is there any way to configure my SMTP server (Postfix in this case) to use the non-VPN route? I mean for both incoming and outgoing. Perhaps a way to make all port-25 traffic go non-VPN? Thanks!
              – lloydsmart
              Feb 28 '13 at 18:03










            • I think it might do that already if you simply make Postfix bind to the non-VPN address instead of to the wildcard (default) address. That is, try changing smtp inet in /etc/postfix/master.cf to A.B.C.D:smtp inet.
              – Celada
              Feb 28 '13 at 18:20










            • Thanks - that was the basic idea, but as it turns out the actual configuration for getting Postfix to bind to the correct address is in main.cf, using the option "smtp_bind_address = A.B.C.D". Props to this page for the answer: faqforge.com/tag/smtp_bind_address
              – lloydsmart
              Feb 28 '13 at 19:45











            • I tried these instructions on a machine that is behind a router on a LAN. For A.B.C.D, I used the machine's LAN IP (not the external IP) and for X.Y.Z.W, I used the router's address. This worked for external connections. I could now ssh to my machine from the outside world, and connections originating from my machine would go through the VPN. However, I am now unable to connect from another computer on my network to the machine via ssh (but I can if going through the external internet). How do the instructions need to be modified to work on a machine behind a network router?
              – Daniel S.
              Mar 22 '14 at 20:43













            up vote
            5
            down vote



            accepted







            up vote
            5
            down vote



            accepted






            You should use policy routing to implement this. The rules won't be too complicated.



            Your (main) default route should point toward the VPN interface. You'll probably use OpenVPN's --redirect-gateway def1 option to have this managed automatically for you when the VPN comes up. It makes OpenVPN override the system default route with a couple of /1 routes that have the same effect and makes sure OpenVPN itself can still reach its remote peer in the normal way without the obvious routing loop.



            This default route will make locally originated traffic go out through the VPN and it will also make replies to traffic that came in through the VPN go out the VPN.



            Now you want to override this with a policy rule for packets that are associated with connections that came in on the non-VPN interface. You want to make those packets go back out through the non-VPN interface.



            The following should accomplish this by (1) matching packets that have the non-VPN public IP address as a source address and asking those to be routed via a different routing table, (2) in that routing table, sending everything to your original (non-VPN) default route.



            ip route add table 42 default via X.Y.Z.W
            ip rule add from A.B.C.D/32 table 42


            A.B.C.D should be your public (non-VPN) IP address, and X.Y.Z.W should be your original system default route (through your ISP, not through your VPN).



            The similar config for IPv6 traffic is left as an exercise for you :-)






            share|improve this answer












            You should use policy routing to implement this. The rules won't be too complicated.



            Your (main) default route should point toward the VPN interface. You'll probably use OpenVPN's --redirect-gateway def1 option to have this managed automatically for you when the VPN comes up. It makes OpenVPN override the system default route with a couple of /1 routes that have the same effect and makes sure OpenVPN itself can still reach its remote peer in the normal way without the obvious routing loop.



            This default route will make locally originated traffic go out through the VPN and it will also make replies to traffic that came in through the VPN go out the VPN.



            Now you want to override this with a policy rule for packets that are associated with connections that came in on the non-VPN interface. You want to make those packets go back out through the non-VPN interface.



            The following should accomplish this by (1) matching packets that have the non-VPN public IP address as a source address and asking those to be routed via a different routing table, (2) in that routing table, sending everything to your original (non-VPN) default route.



            ip route add table 42 default via X.Y.Z.W
            ip rule add from A.B.C.D/32 table 42


            A.B.C.D should be your public (non-VPN) IP address, and X.Y.Z.W should be your original system default route (through your ISP, not through your VPN).



            The similar config for IPv6 traffic is left as an exercise for you :-)







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Feb 28 '13 at 17:44









            Celada

            29.8k46181




            29.8k46181











            • Nice! This did the trick. Thanks for your help!
              – lloydsmart
              Feb 28 '13 at 17:58










            • Follow-up question: Is there any way to configure my SMTP server (Postfix in this case) to use the non-VPN route? I mean for both incoming and outgoing. Perhaps a way to make all port-25 traffic go non-VPN? Thanks!
              – lloydsmart
              Feb 28 '13 at 18:03










            • I think it might do that already if you simply make Postfix bind to the non-VPN address instead of to the wildcard (default) address. That is, try changing smtp inet in /etc/postfix/master.cf to A.B.C.D:smtp inet.
              – Celada
              Feb 28 '13 at 18:20










            • Thanks - that was the basic idea, but as it turns out the actual configuration for getting Postfix to bind to the correct address is in main.cf, using the option "smtp_bind_address = A.B.C.D". Props to this page for the answer: faqforge.com/tag/smtp_bind_address
              – lloydsmart
              Feb 28 '13 at 19:45











            • I tried these instructions on a machine that is behind a router on a LAN. For A.B.C.D, I used the machine's LAN IP (not the external IP) and for X.Y.Z.W, I used the router's address. This worked for external connections. I could now ssh to my machine from the outside world, and connections originating from my machine would go through the VPN. However, I am now unable to connect from another computer on my network to the machine via ssh (but I can if going through the external internet). How do the instructions need to be modified to work on a machine behind a network router?
              – Daniel S.
              Mar 22 '14 at 20:43

















            • Nice! This did the trick. Thanks for your help!
              – lloydsmart
              Feb 28 '13 at 17:58










            • Follow-up question: Is there any way to configure my SMTP server (Postfix in this case) to use the non-VPN route? I mean for both incoming and outgoing. Perhaps a way to make all port-25 traffic go non-VPN? Thanks!
              – lloydsmart
              Feb 28 '13 at 18:03










            • I think it might do that already if you simply make Postfix bind to the non-VPN address instead of to the wildcard (default) address. That is, try changing smtp inet in /etc/postfix/master.cf to A.B.C.D:smtp inet.
              – Celada
              Feb 28 '13 at 18:20










            • Thanks - that was the basic idea, but as it turns out the actual configuration for getting Postfix to bind to the correct address is in main.cf, using the option "smtp_bind_address = A.B.C.D". Props to this page for the answer: faqforge.com/tag/smtp_bind_address
              – lloydsmart
              Feb 28 '13 at 19:45











            • I tried these instructions on a machine that is behind a router on a LAN. For A.B.C.D, I used the machine's LAN IP (not the external IP) and for X.Y.Z.W, I used the router's address. This worked for external connections. I could now ssh to my machine from the outside world, and connections originating from my machine would go through the VPN. However, I am now unable to connect from another computer on my network to the machine via ssh (but I can if going through the external internet). How do the instructions need to be modified to work on a machine behind a network router?
              – Daniel S.
              Mar 22 '14 at 20:43
















            Nice! This did the trick. Thanks for your help!
            – lloydsmart
            Feb 28 '13 at 17:58




            Nice! This did the trick. Thanks for your help!
            – lloydsmart
            Feb 28 '13 at 17:58












            Follow-up question: Is there any way to configure my SMTP server (Postfix in this case) to use the non-VPN route? I mean for both incoming and outgoing. Perhaps a way to make all port-25 traffic go non-VPN? Thanks!
            – lloydsmart
            Feb 28 '13 at 18:03




            Follow-up question: Is there any way to configure my SMTP server (Postfix in this case) to use the non-VPN route? I mean for both incoming and outgoing. Perhaps a way to make all port-25 traffic go non-VPN? Thanks!
            – lloydsmart
            Feb 28 '13 at 18:03












            I think it might do that already if you simply make Postfix bind to the non-VPN address instead of to the wildcard (default) address. That is, try changing smtp inet in /etc/postfix/master.cf to A.B.C.D:smtp inet.
            – Celada
            Feb 28 '13 at 18:20




            I think it might do that already if you simply make Postfix bind to the non-VPN address instead of to the wildcard (default) address. That is, try changing smtp inet in /etc/postfix/master.cf to A.B.C.D:smtp inet.
            – Celada
            Feb 28 '13 at 18:20












            Thanks - that was the basic idea, but as it turns out the actual configuration for getting Postfix to bind to the correct address is in main.cf, using the option "smtp_bind_address = A.B.C.D". Props to this page for the answer: faqforge.com/tag/smtp_bind_address
            – lloydsmart
            Feb 28 '13 at 19:45





            Thanks - that was the basic idea, but as it turns out the actual configuration for getting Postfix to bind to the correct address is in main.cf, using the option "smtp_bind_address = A.B.C.D". Props to this page for the answer: faqforge.com/tag/smtp_bind_address
            – lloydsmart
            Feb 28 '13 at 19:45













            I tried these instructions on a machine that is behind a router on a LAN. For A.B.C.D, I used the machine's LAN IP (not the external IP) and for X.Y.Z.W, I used the router's address. This worked for external connections. I could now ssh to my machine from the outside world, and connections originating from my machine would go through the VPN. However, I am now unable to connect from another computer on my network to the machine via ssh (but I can if going through the external internet). How do the instructions need to be modified to work on a machine behind a network router?
            – Daniel S.
            Mar 22 '14 at 20:43





            I tried these instructions on a machine that is behind a router on a LAN. For A.B.C.D, I used the machine's LAN IP (not the external IP) and for X.Y.Z.W, I used the router's address. This worked for external connections. I could now ssh to my machine from the outside world, and connections originating from my machine would go through the VPN. However, I am now unable to connect from another computer on my network to the machine via ssh (but I can if going through the external internet). How do the instructions need to be modified to work on a machine behind a network router?
            – Daniel S.
            Mar 22 '14 at 20:43













            up vote
            0
            down vote














            A.B.C.D should be your public (non-VPN) IP




            Is this the wan ip ? could i use an dynamic address for the wan ip that i have an none changing one ?



            My constellation is simple its an raspberry connected over lan to an inet-router



            best regards





            share








            New contributor




            johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















              up vote
              0
              down vote














              A.B.C.D should be your public (non-VPN) IP




              Is this the wan ip ? could i use an dynamic address for the wan ip that i have an none changing one ?



              My constellation is simple its an raspberry connected over lan to an inet-router



              best regards





              share








              New contributor




              johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.



















                up vote
                0
                down vote










                up vote
                0
                down vote










                A.B.C.D should be your public (non-VPN) IP




                Is this the wan ip ? could i use an dynamic address for the wan ip that i have an none changing one ?



                My constellation is simple its an raspberry connected over lan to an inet-router



                best regards





                share








                New contributor




                johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.










                A.B.C.D should be your public (non-VPN) IP




                Is this the wan ip ? could i use an dynamic address for the wan ip that i have an none changing one ?



                My constellation is simple its an raspberry connected over lan to an inet-router



                best regards






                share








                New contributor




                johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.








                share


                share






                New contributor




                johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered 4 mins ago









                johnjay

                1




                1




                New contributor




                johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                johnjay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f66426%2fincoming-outgoing-seperation-for-vpn%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?