Ask Your Question
1

When connecting to a PPTP VPN, how to avoid making all traffic go over tunnel?

asked 2015-03-06 11:53:46 -0500

ring gravatar image

I'd like to avoid sending all traffic over the VPN. I have to connect to some servers over that tunnel. The rest of the traffic should not go over the tunnel.

I'm using Fedora 21. I can see from iftop that all the traffic is going over the VPN.

Could we do some kind of subnet filtering?

  • Local: 192.168.0.x
  • Remote: 192.168.10.x
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2015-03-06 14:26:08 -0500

updated 2015-03-12 08:45:27 -0500

The way to do this is to modify your routing table. It depends upon the VPN software you use (since such software modifies your routing table for you in order to send traffic over the VPN connection), but most VPN software won't actually send all traffic over the connection.

If you use the command ip route, you'll see your routing table entries in the output. A typical table for a home environment will look something like:

default via 192.168.1.1 dev eth0 proto static metric 1024

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.100

The first rule indicates that, by default, traffic will be sent over device eth0 (the machine's NIC) through the gateway device at IP address 192.168.1.1 (a home router, perhaps). The other entry indicates that anything intended for the local subnet (192.168.1.0/24) will be sent over device eth0 using the IP address 192.168.1.100. No gateway device is needed for this traffic because it's a local subnet.

So anyway, if you note the output of ip route, establish your VPN connection, and then execute ip route a second time, you should be able to clearly see the entries established by your VPN software. Do the same for ip rule just to be sure no rule modifications are made; I suspect that the output will be the same each time (rules are not usually employed by simple VPN software operating in small office / home office networks) and if so, that's all we need to know. If all you need to access through the VPN connection is servers on the 192.168.10.0/24 subnet (and that's not a local subnet to which you have access as well), and all other traffic should be treated normally, that should be very easy to accomplish. Your routing table could simply need to have a third rule added that looks like:

192.168.1.10/24 dev vpn-device proto kernel scope link src vpn-device-ip-address

More entries may be required, but we can glean that information from the output of the second ip route command. I'm glad to help you figure out the way to handle this if you post the two ip route command outputs. For the sake of security, you may want to make simple (but consistent) adjustments to prevent others from gaining insight to your local network topology. Use different subnets, or something. Given that you cite very standard local subnet values (192.168.0.0/24 and 192.168.10.0/24), that may not be entirely necessary, but I thought I'd throw it out there for good measure.

edit flag offensive delete link more
1

answered 2015-03-06 14:55:37 -0500

aeperezt gravatar image

If you are using the vpn control panel on Gnome when you click on IPv4 there is a check box that say something like " Use this connection only for this network resources" if you check that your vpn connection will be used only when connected to that network.

Hope this help. Good Luck.

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2015-03-06 11:53:46 -0500

Seen: 1,421 times

Last updated: Mar 12 '15