0

I use multiple op systems on my clients (Ubuntu, Mint, Alpine, Windows 7-10) and I'd like to access my home network through VPN and for example in a hotel I'd like to browse the internet through my home internet connection.

I read an interesting article here. It claims that if the VPN connection is not established and you have network connection (e.g. VPN server is not running, the client is not yet connected, etc.), then your client computer will use the local network without tunneling instead of the VPN. I guess the same can happen if I lose connection to my VPN server for some reason and I would not even recognize that I send out half of the messages unencrypted. Is there a way to prevent that from happening and forcing every app on a client computer to use VPN tunnel only?

I found a few similar questions in the topic, which were for example Win7 specific. What I am looking for is a general solution. So in theory what is the recipe to do this on any Windows and Linux system (without system specific details), and if it is not possible, then why?

Improve this question

1 Answer 1

Reset to default
1

The general approaches are:

  • Block undesirable packets from being sent using the firewall.
  • Adjust the routing table so that packets never go through the direct path.

The first method can be implemented by filtering outgoing packets based on their source address, as you'll have different addresses for the LAN subnet and for the VPN tunnel. (Of course, you need to add an exception for the VPN client itself.)

The second, by removing the existing "default" route (0.0.0.0/0 or ::/0) so that packets will immediately be returned with "Network unreachable" errors. Again, you need to set up an exception for the VPN server, by adding a very narrow route (possibly even /32 or /128).

Some operating systems also support "routing domains", "VRFs", or "network namespaces" which limit what network interfaces a program even sees – so you could create a separate namespace just for the VPN client, and assign the physical Ethernet interface to it. (The remaining programs will be forced to use whatever's left, e.g. on Linux a virtual "veth" interface for communication between namespaces.)

Improve this answer
1
  • I guess I have to write an app if I want to use VPN automatically by untrusted connections and turn it off when I connect to the trusted network at home. I hope there is a way to listen to system events, like before:connect, etc..
    – inf3rno
    Commented Dec 8, 2017 at 18:17

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .