Use OpenVPN tun device for specific request

Question

I have setup an OpenVPN connection with the route-nopull configuration. So now no special routes have been added to the client's configuration and only a TUN device is created, like so:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:13.0.9.88  P-t-P:13.0.9.88  Mask:255.255.255.224
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:150 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:12498 (12.4 KB)  TX bytes:2520 (2.5 KB)

As a result, none of the traffic goes over the VPN by default. Great, because I only need it for certain requests.

And there lies my problem: how do I do that? I'm mainly going to use this in node.js.

In the next example I create a simple GET request using http.request, but I specify the address currently given to the TUN interface.

var http = require('http'),
    url  = require('url');

var options = {
    localAddress: '13.0.9.88',
    hostname: 'www.google.be',
    path: '/',
    method: 'GET',
    port: 80
};

var req = http.request(options, function(res) {
    res.setEncoding('utf8');

    res.on('data', function (chunk) {
        console.log('Body: ' + chunk);
    });
});

req.end();

The problem is: this request never goes through or gets a response.

I also tried a simpler test, just using ping over the tun0 interface to one of Google's servers:

 ping -I tun0 173.194.112.24

This, again, gives no results.

Fyi: When I setup OpenVPN to create a TAP interface (instead of a TUN one), I get a 'Destination Host Unreachable' error

The netstat info of the vpn's ip:

# netstat -rn | fgrep 13.0.9
13.0.9.88      0.0.0.0         255.255.255.224 U         0 0          0 tun0

What routes do I have to add to enable this?

Answer 1

After quite a search, I found the answer on this blog by Georgie Casey:

The no-pull config stays, but after each connection these routes need to be added:

ip route add default via  {{P-t-P-IP}}          dev tun0 table 10
ip rule add from          {{tun0-inet addres}}  table 10

Those values you can get, for example, from ifconfig (ips modified):

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:16.0.2.11  P-t-P:16.0.2.11  Mask:255.255.255.224
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:5344 (5.3 KB)  TX bytes:2295 (2.2 KB)

Answer 2

You need add routes for the destinations you want to route via the VPN tunnel, like this:

route add <destip> gw <server IP>

Where <destip> is the destination IP you want to route via the VPN, and <server ip>is the IP of the OpenVPN server in the 13.0.9. network.

By the way, you should not use publicly routable IP addresses in private VPNs. You have to use some of the networks defined in RFC1918.

After seeing your original question Setup openvpn as interface device only , you should remove the route-nopull in your client configuration and remove push "redirect-gateway def1" from the server configuration file.

Then you can add:

push "route <serverip> 255.255.255.255"

to the server configuration file. This tells the server to tell client to route <serverip> via OpenVPN server.