The use of the ip rule and ip route commands in Linux allows for advanced network configurations, particularly in routing custom VPN traffic. By leveraging these commands, administrators can effectively control the flow of traffic based on specific conditions like source address, destination address, or other packet attributes. This article walks through the configuration of custom VPN traffic routing using these tools, with a focus on technical details.
Understanding ip rule and ip route
The ip rule command is part of the iproute2 package in Linux and enables users to define specific rules that control how packets are routed through the system. It adds an extra layer of flexibility to the routing mechanism by allowing traffic to be matched and directed based on criteria beyond traditional routing tables. On the other hand, ip route is used to configure the routing table itself, defining where packets should be forwarded based on destination IP.
Setting Up Custom VPN Traffic Routing
When configuring custom VPN traffic routing, the goal is to separate VPN-bound traffic from general traffic and apply distinct routing rules. This can be especially useful for isolating traffic through different VPN providers or for balancing load between multiple VPN connections.
Step 1: Creating a Custom Routing Table
Before adding rules for custom VPN traffic, you need to create a custom routing table. This can be done by editing the /etc/iproute2/rt_tables file. Add a new table entry with a unique ID number:
echo “200 vpn_table” >> /etc/iproute2/rt_tables
This command adds a new routing table named vpn_table with an ID of 200.
Step 2: Defining ip rules
Once the routing table is created, you need to add an ip rule to direct the VPN traffic to use this table. The ip rule command can match traffic based on various criteria, such as source IP address, destination IP, or the interface through which the traffic is routed.
For example, to route traffic destined for a VPN network through the vpn_table, use the following command:
ip rule add from 192.168.1.0/24 table vpn_table
This rule tells the system to route any traffic originating from the 192.168.1.0/24 network through the custom vpn_table.
Step 3: Configuring ip route for VPN
Now that the rule is set, configure the actual routing table to define where the VPN traffic should go. For instance, assume you are using a VPN gateway with IP address 10.0.0.1 for the traffic to be routed through. You would add the following route to the vpn_table:
ip route add default via 10.0.0.1 dev tun0 table vpn_table
This command adds a default route to the vpn_table that directs traffic to the VPN gateway (10.0.0.1) through the tun0 interface (the interface used by the VPN connection).
Step 4: Adding a Return Path for VPN Traffic
In some cases, you may need to ensure that return traffic from the VPN server also follows the custom route. This is done by adding a reverse route for VPN-bound packets:
ip route add 192.168.1.0/24 dev tun0 table vpn_table
This command ensures that any traffic returning to the 192.168.1.0/24 network is sent through the VPN interface (tun0), thus maintaining the VPN tunnel for both inbound and outbound traffic.
Step 5: Verifying the Configuration
Once the configuration is complete, it’s important to verify that the routing rules are working as expected. Use the following commands to inspect the active rules and routes:
ip rule show
ip route show table vpn_table
The first command shows all active routing rules, while the second command displays the routing table entries for the vpn_table. This allows you to verify that traffic is being routed correctly through the VPN tunnel.
Advanced Custom Routing Scenarios
For more complex routing setups, you can apply multiple rules to handle different types of VPN traffic. For example, you could route traffic based on the destination IP, application ports, or even the type of VPN protocol used. Here are a few scenarios to consider:
Routing Traffic Based on Destination IP
To route only traffic destined for a specific destination IP range (e.g., 10.10.10.0/24) through the VPN, add the following rule:
ip rule add to 10.10.10.0/24 table vpn_table
This rule ensures that only traffic destined for the 10.10.10.0/24 network is routed through the VPN.
Routing Traffic for Specific Applications
Advanced use cases might involve routing traffic from a specific application through the VPN. This can be done by using iptables to mark packets from certain applications and then routing those marked packets through the VPN. For instance:
iptables -t mangle -A OUTPUT -p tcp –sport 80 -j MARK –set-mark 1
ip rule add fwmark 1 table vpn_table
This setup marks outgoing TCP packets on port 80 and routes them through the custom VPN table.
Failover Mechanism Between Multiple VPNs
If you have multiple VPN connections and wish to set up a failover mechanism, you can define multiple routes in the same table. This ensures that if one VPN connection fails, traffic will be routed through the backup VPN.
ip route add default via 10.0.0.1 dev tun0 table vpn_table
ip route add default via 10.0.0.2 dev tun1 table vpn_table
This configuration attempts to use tun0 first, and if that route fails, it falls back to tun1.
