Jump to content
TorGuard
  • 0
Jabouty

How do I get OpenVPN's client to bind to a specific interface?

Rate this question

Question

Jabouty

Here's my issue:

I have  server with multiple nics, eth0-2.  eth0 & eth1 are bonded (bond-type 0) under interface bond0.

I would like to have the openvpn client bind to the bond0 interface while leaving the eth2 interface alone.  That way I can have my vpn traffic through the bond0 interface, and non vpn traffic through eth2.

Pertinent information:

# netstat -anr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.35.0.94      128.0.0.0       UG        0 0          0 tun0
0.0.0.0         10.20.30.254    0.0.0.0         UG        0 0          0 bond0
10.20.30.0      0.0.0.0         255.255.255.0   U         0 0          0 eth2
10.20.30.0      0.0.0.0         255.255.255.0   U         0 0          0 bond0
10.20.35.0      0.0.0.0         255.255.255.0   U         0 0          0 br-XXXXXXXXXXXX
10.35.0.1       10.35.0.94      255.255.255.255 UGH       0 0          0 tun0
10.35.0.94      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
66.63.178.186   10.20.30.254    255.255.255.255 UGH       0 0          0 eth2
128.0.0.0       10.35.0.94      128.0.0.0       UG        0 0          0 tun0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0

10.20.30.0/24 is my home network, gateway is 10.20.30.254
10.20.35.0/24 is a docker specific bridge to allow my containers access to the network

66.63.178.186 is TorGuards VPN, and it's attached to eth2.  I would like it to be on bond0.

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 10.20.30.252/24 brd 10.20.30.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 XXXX::XXXX:XXXX:XXXX:XXXX/64 scope link
       valid_lft forever preferred_lft forever
5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 10.20.30.200/24 brd 10.20.30.255 scope global bond0
       valid_lft forever preferred_lft forever
    inet6 XXXX::XXXX:XXXX:XXXX:XXXX/64 scope link tentative dadfailed
       valid_lft forever preferred_lft forever
6: br-5b9204a4a1d4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 10.20.35.1/24 brd 10.20.35.255 scope global br-5b9204a4a1d4
       valid_lft forever preferred_lft forever
    inet6 XXXX::XXXX:XXXX:XXXX:XXXX/64 scope link
       valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 48000 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.35.0.93 peer 10.35.0.94/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 XXXX::XXXX:XXXX:XXXX:XXXX/64 scope link flags 800
       valid_lft forever preferred_lft forever
38: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5b9204a4a1d4 state UP group default
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 XXXX::XXXX:XXXX:XXXX:XXXX/64 scope link
       valid_lft forever preferred_lft forever
44: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5b9204a4a1d4 state UP group default
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 XXXX::XXXX:XXXX:XXXX:XXXX/64 scope link
       valid_lft forever preferred_lft forever

I run openvpn through systemd with systemctl start [email protected]:

# cat /etc/openvpn/connect.conf
client
dev tun
proto udp
remote 66.63.178.186 1912
resolv-retry infinite
remote-cert-tls server
nobind
tun-mtu 48000
mssfix 0
fragment 0
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
ca ca.crt
setenv CLIENT_CERT 0
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-auth>
auth-user-pass user.txt
comp-lzo
auth SHA256
fast-io
cipher AES-128-CBC
ping-restart 0
route-delay 2
route-method exe
# script-security 3 system
mute-replay-warnings
verb 3

My routing setup:

# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# ip route
0.0.0.0/1 via 10.35.0.94 dev tun0
default via 10.20.30.254 dev bond0 onlink
10.20.30.0/24 dev eth2 proto kernel scope link src 10.20.30.252
10.20.30.0/24 dev bond0 proto kernel scope link src 10.20.30.200
10.20.35.0/24 dev br-5b9204a4a1d4 proto kernel scope link src 10.20.35.1
10.35.0.1 via 10.35.0.94 dev tun0
10.35.0.94 dev tun0 proto kernel scope link src 10.35.0.93
66.63.178.186 via 10.20.30.254 dev eth2
128.0.0.0/1 via 10.35.0.94 dev tun0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

I'm unsure of whatever other information may be needed to assist me here, but if there's something I missed, let me know and I'll happily post it in the hopes that I can make this work.

I'm sure it's a matter of me not seeing the obvious solution, so I'm hoping that someone can point me in the right direction as my GoogleFu has garnered me very little in the way of actual help.

 

Thank you in advance!

Share this post


Link to post
Share on other sites

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×