0

I have a Raspberry Pi server running a variety of tasks and applications through various ports; one of which is a Home automation service running through an Nginx proxy on the same machine to allow https connections externally but only http connections on the LAN. Up until now this has worked great but recently I have decided to use a paid VPN service (Using OpenVPN) to increase privacy. This works fine until I try and access my Home automation server using SSL (which is required for services such as Amazon Alexa). As a result I've been trying to bypass the VPN for SSL traffic on port 443 but force all other traffic through the tunnel using the following routes and ufw rules when the VPN connection is enabled:

ip route add default via $route_vpn_gateway dev tun1 table 10
ip rule add from $ifconfig_local/32 table 10
ip rule add to $route_vpn_gateway/32 table 10
ip route flush cache


ufw insert 1 reject out on wlan0 from any
ufw insert 1 allow out on wlan0 from any port 443
ufw insert 1 allow in on tun1 to any
ufw insert 1 reject out on tun1 from any port 443
ufw insert 1 deny in on tun1 from any port 443
ufw insert 1 allow in on wlan0 to any port 443

I have tried to insert the more specific rules at the start of the rule list. This doesn't seem to work though and the SSL connections still fail to get through. Is there something I'm missing here? The VPN config is set up to prevent all traffic automatically being routed through the tunnel.

Improve this question
5
  • If you want to connect to your home automation server while connected to your VPN then you will have to connect that server to the VPN also.
    – Ramhound
    Commented Aug 8, 2017 at 12:01
  • It's all one server that I'm connecting through the VPN.
    – Jimbroze
    Commented Aug 8, 2017 at 12:23
  • What you need is routing (using ip route or similar) not filtering (using iptables/ufw). You need to add a more specific route then the vpn to the target IP. You cannot route a single port.
    – Steffen Ullrich
    Commented Aug 8, 2017 at 12:47
  • Unfortunately it's not just a few external IP's that each interface needs to reach so I can't specify routing to them.
    – Jimbroze
    Commented Aug 8, 2017 at 20:32
  • Is there anyway of routing all external traffic to and from the nginx server through the default gateway but route all else through the VPN?
    – Jimbroze
    Commented Aug 8, 2017 at 20:39

2 Answers 2

Reset to default
1

To route traffic based on what interface it arrived on and what port, you can use iptables mark feature.

In your case, mark traffic incoming from port 443 and/or the WAN/local interface and then use a ip rule to force it to use a dedicated routing table. Set the default route in that table to use your non-vpn gateway.

How to mark and direct marked traffic is explained here:

https://www.linuxquestions.org/questions/linux-networking-3/add-route-based-on-port-not-ip-486823/

If you disable the firewall, you should see that the traffic is now being routed correctly.

I'm not 100% sure about the firewall rules, but check the log to see if its working as expected /var/log/ufw.log.

As ufw is a front-end for iptables get the full list of rules like this iptables -S. To check what actual rules are affecting your traffic use the trace feature from iptables.

Improve this answer
0

What you are trying to do is called split tunneling. You would have to set up a route or rule on your router to allow all traffic going out from the source to destination to use ISP vs VPN.

Improve this answer
2
  • 1
    How would I go about doing that?
    – Jimbroze
    Commented Aug 8, 2017 at 20:27
  • Can you elaborate "split tunneling"?
    – user486359
    Commented Aug 25, 2023 at 7:56

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .