[Tfug] OpenVPN and routing help

John Hubbard ender8282 at gmail.com
Tue Aug 2 13:38:42 MST 2016 

On Saturday, July 30, 2016 9:39:12 PM MST John Gruenenfelder wrote:
> Hey TFUG,
> 
> I've been stuck in the hospital for four months now (long story), but
> I've got my laptop to help occupy some of the time.  The Internet
> connection is pretty lousy, though.  Anyway, I took the time to
> finally set up an OpenVPN connection to my home server.  Following a
> Debian specific guide, this was fairly easy to do, even with the TLS
> certs and such.
> 
> I want to use the VPN, at least for now, just for accessing services
> and data on this server (bebop).  I then used Gnome's network manager
> on my laptop to configure the client end of the VPN.  It works, but
> unfortunately it seems to want to route *all* traffic through the VPN,
> and that essentially killed my connection to the rest of the Internet
> until I turned off the VPN connection.

Networking isn't really my strong suite but my impression is that the VPN 
server that you connect to is responsible for telling the client what traffic 
gets routed to it and what traffic gets routed elsewhere.  I say that based on 
my experience with my employer's VPN (a cisco anyconnect appliance).  I 
connect via openconnect and after running it I get a new tun0 adapter that 
shows up under ifconfig.  At that point I have two IP addresses (one for the 
new tun0 adapter and one for my existing eth0 adapter).  Linux just figures 
out how to route traffic.  

> So... I guess I'm asking what I should do next?  When at home I have
> NFSv4 configured using autofs and that's working nicely.  I'd like to
> be able to send that over the VPN link along with VNC connections,
> port 80/443. ssh, and so on.  Part of this was simplified by adding
> bebopvpn to /etc/hosts and setting it to the remote VPN IP address.  I
> also added a bebopvpnnet entry to /etc/networks, but I don't know how
> useful that will be.  I think this will require adding some entries to
> the routing table, maybe?
> 
> A tougher question is to make the NFS access more seamless.  That is,
> when on my home network, for efficiency autofs and the NFS connections
> should use the regular network and IP addresses and when not on the
> home network it should all get sent through the VPN.  Obviously, I
> would rather not have to edit files each time I change locations.
> Perhaps in this case, for simplicity's sake, it would be best to just
> have NFS go through the VPN regardless of where the laptop is?

In theory I don't think that you should need to edit files.  If you've got the 
VPN properly configured and the connection open then traffic to bedop should 
be routed through the vpn connection.  If you are at home you don't need the 
VPN open and you should be able to connect to bedop.  I don't think that you 
ever want/need a bedopvpnnet host entry.  The one piece that might be worth 
your time would be setting up network manager to automatically connect to the 
VPN when it connects to certain networks (e.g. the hospital network, or 
starbucks) where you will generally want to have the VPN running.  

-- 
-john

More information about the tfug mailing list