How to bypass/exclude a port on OpenVPN client WITHOUT bypassing all incoming traffic?

Question

I read this answer beforehand, it says:

ip rule add from x.x.x.x table 100
ip route add table 100 to y.y.y.y/y dev ethX
ip route add table 100 default via z.z.z.z

The problem is, this will apply to all ports, and then I could use iptables to DROP certain connections, but that's not what I want.

I want the OpenVPN to...

• Exclude some ports, like SSH, TeamViewer, etc.
• Tunnel all other ports, not DROP them.

Client is a Mac Mini. I can change server config if needed.

Answer 1

This can be achieved using iptables mangle. Your routing tables are fine, you just have to add some rules to ex/include the specific traffic.

In your case it would be something like this for SSH:

ip rule add fwmark 2 table 100
ip route flush cache
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 2
iptables -t nat -A POSTROUTING -o ethX -j SNAT --to-source z.z.z.z
                                  ^                        ^
                               your public interface      your public IP

This will:

1. set fwmark 2 to your routing table 100
2. flush the routing cache to avoid interference
3. set mark 2 for all packets to destination port 22 (SSH)
4. SNAT all packets going out of ethX to your public IP

I don't know if you need all of this or have to turn it around, depends on which way you want to look at it (all traffic via OpenVPN except xxx, or no traffic via OpenVPN except xxx).

E.g. you don't even have to use routing tables, but it certainly is much cleaner this way, or you don't need the SNAT / masquerade etc.