Posted: Tue Aug 13, 2019 17:14 Post subject: enabling specific programs to bypass router based OpenVPN
Overview:
I run a router stack with 3 tiers. Tier 1 is connected to the ISP modem; tier 2 routers connected Wan to the front router LAN. Tier3 routers are connected WAN to LAN of their specific tier 2 router. Over all purpose is to have securely separated subnets. OpenVPN is run the 2nd tier routers.
System works well. But two things I need to fix.
1) allow selected programs bypass the VPN on their tier-2 router and access the front Tier-1 router's logs.
The connection logger I use can not see/access the front (tier-1) router's logs when the VPN is running. Thus I miss the bogons and the NAT information. which is primarily trapped by the front router. Only a few sites seem to get thru the front (tier-1 router). {sneaky Google ob some occasions- less than 6 a day & Apple if our Ipad is connected}
2) be able to let a user turn off & on (or bypass) the router's VPN on occasion. Want something simpler & safer than giving users full access to the router's settings. Thought about using the SES button on the back of the router. But that requires the user have physical access to the router itself. ideas?
Sam
_________________ multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Last edited by Sam1789 on Wed Aug 14, 2019 1:14; edited 1 time in total
You could allow the users to bypass the vpn by changing either ip or gateway. You would also need to setup this on the vpn router.
I am guessing you could allow access to the router for logs by either restrictive routing to it or firewall or routing rules on the client machines.
portsup,
Thanks for your. Not sure how to do either of those. It sounds almost like just a paraphrasing of my questions?
Sam _________________ multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Aug 14, 2019 10:03 Post subject:
You can use Policy Based routing to route some IP adresses via the VPN and others not.
Normally you set a static lease for those addresses and if you set those addrsses in the PBR field of your VPN then those Clients/IP addresses will go via the VPN (the other way around is also possible).
Now on your client (which normally has this static lease) you can change the network settings, for windows you can use a utility NetSetMan (If I remeber correctly) to easily switch between Network settings and in this way you can easily switch between VPN or non VPN routing
(I think that this is also what @portsup is talking about )
Egc is describing largely what I am intending. The program for changing windows network settings sounds good. Rather than PBR, a gateway based solution would be better. You could setup multiple ips on tier 2 routers and have routing based on either of those ips with one going to vpn the other wan. Then the client merely changes gateway for vpn or wan.
You could do that I think on a tier 2 router by using pbr and adding an address in the subnet to the vpn device and adding that address to the pbr. Configure that address as gateway on the client for vpn, and the other address for wan.
As to routing to tier 1 while on vpn. I am guessing you can just make a rule for it. I am not sure though how linux prioritizes routing rules. PBR is a routing rule that says from a certain address go via vpn, you also want to say but to this other tier 1 address go here so to get to the tier 1 router.