OpenVPN is a robust, open-source VPN solution commonly used for secure communication over the internet. It operates at the network layer and can be configured to route specific traffic through the VPN tunnel based on defined policies. Policy-Based Routing (PBR) allows administrators to control the routing of network packets, guiding certain traffic through different network paths based on specific rules. In this article, we will explore how to configure OpenVPN with Policy-Based Routing on a Linux system.
Installing OpenVPN on Linux
Before we dive into the configuration, we need to install OpenVPN on the Linux machine. The following steps will guide you through the process.
sudo apt update
sudo apt install openvpn
This command updates the package list and installs OpenVPN. Once OpenVPN is installed, we can begin configuring the VPN and policy-based routing.
Setting Up OpenVPN
Once OpenVPN is installed, we need to configure the VPN connection. Begin by creating a directory to store OpenVPN configurations:
mkdir -p /etc/openvpn/client
Next, place your OpenVPN configuration file (typically named client.conf or client.ovpn) into this directory. You can download the configuration file from your VPN provider or create it manually.
To start the OpenVPN client, run the following command:
This command will establish a connection to the OpenVPN server using the provided configuration file. At this point, the VPN should be running, and all traffic will route through the VPN by default.
Understanding Policy-Based Routing
Policy-Based Routing is a technique that allows network administrators to route traffic based on specific policies, such as the source IP address, destination IP, or application type. PBR can be configured using ip rule commands to create rules that direct traffic based on the criteria specified.
We will create rules to route specific traffic through the OpenVPN tunnel while allowing other traffic to use the regular network interface.
Configuring Policy-Based Routing
The first step in configuring Policy-Based Routing is to create a new routing table. Open the terminal and run the following command to create a custom table:
echo "200 vpn" | sudo tee -a /etc/iproute2/rt_tables
This command adds a new routing table named “vpn” with ID 200 to the system’s routing tables.
Next, add routes to the VPN table. The routes determine how traffic will be forwarded through the VPN tunnel. To add a default route for the VPN table, run:
sudo ip route add default via 10.8.0.1 dev tun0 table vpn
In this command, 10.8.0.1 represents the gateway IP address assigned by the OpenVPN server, and tun0 is the interface used by the VPN connection. Ensure that these values are correct for your specific VPN configuration.
Creating Routing Rules
To ensure that only specific traffic is routed through the VPN, we need to create routing rules. The ip rule command allows us to specify which traffic should use the custom routing table. For example, if you want all traffic from a specific IP range (e.g., 192.168.1.0/24) to be routed through the VPN, run:
sudo ip rule add from 192.168.1.0/24 table vpn
This rule ensures that any traffic originating from the 192.168.1.0/24 subnet will follow the VPN routing table, directing it through the OpenVPN tunnel.
If you want to route specific destination traffic (e.g., to a particular IP address), you can create a rule like:
sudo ip rule add to 203.0.113.0/24 table vpn
This rule routes any traffic destined for the 203.0.113.0/24 subnet through the VPN tunnel.
Adjusting IP Tables for PBR
Policy-Based Routing often requires modifying IP tables to ensure traffic is correctly marked and processed. You need to mark packets that should follow the custom route. The following command marks packets based on the source address:
sudo iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1
This command marks all incoming packets from the 192.168.1.0/24 network with a mark of 1. You can then use this mark in routing decisions.
To ensure that the marked packets are processed using the correct routing table, add the following rule:
sudo ip rule add fwmark 1 table vpn
This rule ensures that any packet with a mark of 1 will be routed through the “vpn” routing table.
Verifying the Configuration
Once you have configured OpenVPN and the policy-based routing rules, it’s essential to verify that the configuration is working as expected. You can check the routing rules with the following command:
ip rule show
This will display the current routing rules, including any that reference the “vpn” table. Ensure that your rules are listed and are pointing to the correct routing table.
Additionally, you can verify that traffic is routing through the VPN by checking the routing table:
ip route show table vpn
This will display the routes in the VPN table, confirming that traffic from the specified sources or destinations is being routed correctly.
Troubleshooting
If you encounter issues, here are a few troubleshooting steps:
1. Verify that the OpenVPN connection is active using ifconfig or ip a to check for the tun0 interface.
2. Ensure that the VPN gateway IP address (10.8.0.1) is correct and accessible.
3. Check the IP tables to make sure the correct packets are being marked.
4. Use traceroute or ping to test the routing paths of your traffic and verify that it’s going through the VPN as expected.
