Join Log in
Score:0
alezotta avatar Server

Routing : route through vpn while allowing incoming traffic on local interface

in flag
alezotta

I'm setting up a server that connects to an ovpn server through which it's able to access some remote devices. Some of these devices have private IPs (no problems here), however the ones that have a public IP have a strict rule that allows access only from the ovpn server's public IP .

My server therefore needs to redirect all internet traffic through this vpn. The trouble is that once i configure the default route through the vpn i completely lose access to the server through it's original public IP.

Is there a way to route all outgoing traffic through the vpn while still allowing replies incoming traffic from the EC2's original IP?

When i connect to the vpn these are the routes that get installed on my system, with 172.16.220.0/24 being the vpn server's private range and 172.29.64.0/18 being the EC2 VPC's private range.

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.220.161  128.0.0.0       UG    0      0        0 tun0
0.0.0.0         172.29.64.1     0.0.0.0         UG    100    0        0 ens5
10.0.0.0        172.16.220.161  255.0.0.0       UG    0      0        0 tun0
*vpn_public_ip*  172.29.64.1     255.255.255.255 UGH   0      0        0 ens5
128.0.0.0       172.16.220.161  128.0.0.0       UG    0      0        0 tun0
172.16.220.160  0.0.0.0         255.255.255.224 U     0      0        0 tun0
172.29.64.0     0.0.0.0         255.255.192.0   U     0      0        0 ens5
172.29.64.1     0.0.0.0         255.255.255.255 UH    100    0        0 ens5
192.168.0.0     172.16.220.161  255.255.0.0     UG    0      0        0 tun0

With these routes i'm able to access the EC2 through it's private ip with another machine in the same private network, but i have no success reaching it's public ip.

Some info : the server runs on an AWS EC2 with ubuntu server 20.04 and the network interface has a private ip with a 1-to-1 nat with the public ip

145
0 + 5
vpn
us flag
Tero Kilkanen
What is the exact criteria in the packets that decide if the IP packet should be sent over VPN connection or through normal default gateway?
0
Reply
alezotta avatar
in flag
alezotta
All outgoing packets should be routed through the vpn. Packets coming from the EC2's public ip should be routed back through the EC2's interface.
0
Reply
alezotta avatar
in flag
alezotta
The problem is that now all the answers to the packets arriving through the EC2's interface leave through the vpn.
0
Reply
in flag
NiKiZe
`ip r add ${vpn_server_up} via ${default_gw}` now replace your default gw. The other part needs some `ip rule from $hostip lookup ...` handling
0
Reply
us flag
Tero Kilkanen
You might have a problem that cannot be solved. A two-way connection requires sending packets from A to B and from B to A. The routing layer has no idea about connections. It only knows how to forward packets based on destination address. Therefore, if you don't have a specific subset of IP addresses that you want to route via VPN / other gateway, then you cannot do what you want.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.