0

I would like to configure my Debian 8 server so it is not able to make outgoing connections at all except for a specific OpenVPN host (which distributes IP addresses based on an IP pool).

My attempt was to block eth0 and allow only on tun0, but that way if my VPN disconnects for some reason, it wouldn't be able to reconnect again.

Any approaches on how I could try to achieve what I want?

Improve this question
3
  • Have you seen this, superuser.com/a/1145872/255732 ?
    – MariusMatutiae
    Commented Nov 30, 2016 at 6:50
  • Seems interesting. But how would I achieve an auto reconnect? If all interfaces are down, surely nothing can leak, but I also can't write a program which automatically reconnects to the VPN...
    – Benni
    Commented Nov 30, 2016 at 11:08
  • There is a misunderstanding: so long as you use ping-restart or ping-exit, the OpenVPN will try to reconnect. The interfaces will go down only when OpenVPN decides (after the number of retries you set) that there is no chance of getting another connection. You may then modify the up script to bring up the rquired interface (eth0?) when the openvpn is started up, and write a script that checks whether openvpn is running* and, if not, restarts it. Thatś all.
    – MariusMatutiae
    Commented Nov 30, 2016 at 11:18

1 Answer 1

Reset to default
0 
route add <ovpn host ip> gw <your real gateway>
route add -net <ovpn host network> gw <your real gateway>
route add -net 1.2.3.4/24 gw <your real gateway>
route del default
Improve this answer
7
  • There is more than one possible OpenVPN IP. Should a hostname be working as well?
    – Benni
    Commented Nov 29, 2016 at 19:07
  • Actually, it's an entire /24 subnet. Is this the only possible solution?
    – Benni
    Commented Nov 29, 2016 at 19:10
  • I know I could use a for loop. But isn't there a "cleaner", more convenient solution?
    – Benni
    Commented Nov 29, 2016 at 19:11
  • man route, please...
    – Ipor Sircer
    Commented Nov 29, 2016 at 19:11
  • So route add -net 1.2.3.4/24 gw <real gw> should be working?
    – Benni
    Commented Nov 29, 2016 at 19:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .