Configure (route) specific connections outside of a VPN
I am using NetworkManager (Gnome) to handle all my network connections.
I am connecting to a VPN with OpenVPN. My firewall (nftables) drops all traffic outside of the tun0 interface.
Now I want to connect to a server (that has a static IP) via ssh, but outside of the VPN tunnel, so I want to tell my machine: For every connection to this IP, do not use the VPN but rather connect directly.
What I did so far: Allow a connection to the server in the firewall.
What I am not really able to figure out:
How do I make my machine connect to the server "outside" of the VPN properly?
I already tried to read up on the problem, the answer I have been able to find was routing, so I am supposed to create a route for all the traffic to the server through a different networking interface, so instead of letting those packages through tun0, they are supposed to go through either wlp2s0 or enp1s0, depending on how I am connected at a given moment.
So I did for example
ip route add IP-ADDRESS dev wlp2s0
This somehow seems to work temporarily (but I don't even know if it should). I am not sure though if this is the correct way to do it.
In case that this is the right idea, I want to configure it so this routing is done "automatically" - so whenever my network connection changes (for example I'm switching from wifi to wired connection), I want the route to still be there. How do I do that properly?
My system (not sure if this is relevant) is Archlinux with all the latest packages installed.
The reason I want to do this is because the server I want to connect to is blocking all of the IPs from my VPN provider. I do trust the server though, so I do not need to use the VPN to connect to this server.
linux ip vpn route
add a comment |
I am using NetworkManager (Gnome) to handle all my network connections.
I am connecting to a VPN with OpenVPN. My firewall (nftables) drops all traffic outside of the tun0 interface.
Now I want to connect to a server (that has a static IP) via ssh, but outside of the VPN tunnel, so I want to tell my machine: For every connection to this IP, do not use the VPN but rather connect directly.
What I did so far: Allow a connection to the server in the firewall.
What I am not really able to figure out:
How do I make my machine connect to the server "outside" of the VPN properly?
I already tried to read up on the problem, the answer I have been able to find was routing, so I am supposed to create a route for all the traffic to the server through a different networking interface, so instead of letting those packages through tun0, they are supposed to go through either wlp2s0 or enp1s0, depending on how I am connected at a given moment.
So I did for example
ip route add IP-ADDRESS dev wlp2s0
This somehow seems to work temporarily (but I don't even know if it should). I am not sure though if this is the correct way to do it.
In case that this is the right idea, I want to configure it so this routing is done "automatically" - so whenever my network connection changes (for example I'm switching from wifi to wired connection), I want the route to still be there. How do I do that properly?
My system (not sure if this is relevant) is Archlinux with all the latest packages installed.
The reason I want to do this is because the server I want to connect to is blocking all of the IPs from my VPN provider. I do trust the server though, so I do not need to use the VPN to connect to this server.
linux ip vpn route
1
The question need not probably be so convoluted. I bet you would manage to convey you want to escape the normal route of VPN with less than 1/3 of that text. And yes, if you want to mess up with routing, the best course of action is understanding the route (and possibly firewalling) commands.
– Rui F Ribeiro
Nov 19 '18 at 14:22
Yes, adding the route for that address is the correct way to do it, and should of course work.
– RalfFriedl
Nov 19 '18 at 19:32
add a comment |
I am using NetworkManager (Gnome) to handle all my network connections.
I am connecting to a VPN with OpenVPN. My firewall (nftables) drops all traffic outside of the tun0 interface.
Now I want to connect to a server (that has a static IP) via ssh, but outside of the VPN tunnel, so I want to tell my machine: For every connection to this IP, do not use the VPN but rather connect directly.
What I did so far: Allow a connection to the server in the firewall.
What I am not really able to figure out:
How do I make my machine connect to the server "outside" of the VPN properly?
I already tried to read up on the problem, the answer I have been able to find was routing, so I am supposed to create a route for all the traffic to the server through a different networking interface, so instead of letting those packages through tun0, they are supposed to go through either wlp2s0 or enp1s0, depending on how I am connected at a given moment.
So I did for example
ip route add IP-ADDRESS dev wlp2s0
This somehow seems to work temporarily (but I don't even know if it should). I am not sure though if this is the correct way to do it.
In case that this is the right idea, I want to configure it so this routing is done "automatically" - so whenever my network connection changes (for example I'm switching from wifi to wired connection), I want the route to still be there. How do I do that properly?
My system (not sure if this is relevant) is Archlinux with all the latest packages installed.
The reason I want to do this is because the server I want to connect to is blocking all of the IPs from my VPN provider. I do trust the server though, so I do not need to use the VPN to connect to this server.
linux ip vpn route
I am using NetworkManager (Gnome) to handle all my network connections.
I am connecting to a VPN with OpenVPN. My firewall (nftables) drops all traffic outside of the tun0 interface.
Now I want to connect to a server (that has a static IP) via ssh, but outside of the VPN tunnel, so I want to tell my machine: For every connection to this IP, do not use the VPN but rather connect directly.
What I did so far: Allow a connection to the server in the firewall.
What I am not really able to figure out:
How do I make my machine connect to the server "outside" of the VPN properly?
I already tried to read up on the problem, the answer I have been able to find was routing, so I am supposed to create a route for all the traffic to the server through a different networking interface, so instead of letting those packages through tun0, they are supposed to go through either wlp2s0 or enp1s0, depending on how I am connected at a given moment.
So I did for example
ip route add IP-ADDRESS dev wlp2s0
This somehow seems to work temporarily (but I don't even know if it should). I am not sure though if this is the correct way to do it.
In case that this is the right idea, I want to configure it so this routing is done "automatically" - so whenever my network connection changes (for example I'm switching from wifi to wired connection), I want the route to still be there. How do I do that properly?
My system (not sure if this is relevant) is Archlinux with all the latest packages installed.
The reason I want to do this is because the server I want to connect to is blocking all of the IPs from my VPN provider. I do trust the server though, so I do not need to use the VPN to connect to this server.
linux ip vpn route
linux ip vpn route
edited 16 mins ago
user90255
1543312
1543312
asked Nov 19 '18 at 14:04
user246093user246093
61
61
1
The question need not probably be so convoluted. I bet you would manage to convey you want to escape the normal route of VPN with less than 1/3 of that text. And yes, if you want to mess up with routing, the best course of action is understanding the route (and possibly firewalling) commands.
– Rui F Ribeiro
Nov 19 '18 at 14:22
Yes, adding the route for that address is the correct way to do it, and should of course work.
– RalfFriedl
Nov 19 '18 at 19:32
add a comment |
1
The question need not probably be so convoluted. I bet you would manage to convey you want to escape the normal route of VPN with less than 1/3 of that text. And yes, if you want to mess up with routing, the best course of action is understanding the route (and possibly firewalling) commands.
– Rui F Ribeiro
Nov 19 '18 at 14:22
Yes, adding the route for that address is the correct way to do it, and should of course work.
– RalfFriedl
Nov 19 '18 at 19:32
1
1
The question need not probably be so convoluted. I bet you would manage to convey you want to escape the normal route of VPN with less than 1/3 of that text. And yes, if you want to mess up with routing, the best course of action is understanding the route (and possibly firewalling) commands.
– Rui F Ribeiro
Nov 19 '18 at 14:22
The question need not probably be so convoluted. I bet you would manage to convey you want to escape the normal route of VPN with less than 1/3 of that text. And yes, if you want to mess up with routing, the best course of action is understanding the route (and possibly firewalling) commands.
– Rui F Ribeiro
Nov 19 '18 at 14:22
Yes, adding the route for that address is the correct way to do it, and should of course work.
– RalfFriedl
Nov 19 '18 at 19:32
Yes, adding the route for that address is the correct way to do it, and should of course work.
– RalfFriedl
Nov 19 '18 at 19:32
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482763%2fconfigure-route-specific-connections-outside-of-a-vpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482763%2fconfigure-route-specific-connections-outside-of-a-vpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
The question need not probably be so convoluted. I bet you would manage to convey you want to escape the normal route of VPN with less than 1/3 of that text. And yes, if you want to mess up with routing, the best course of action is understanding the route (and possibly firewalling) commands.
– Rui F Ribeiro
Nov 19 '18 at 14:22
Yes, adding the route for that address is the correct way to do it, and should of course work.
– RalfFriedl
Nov 19 '18 at 19:32