Comment by symlinkk

4 years ago

Asking here as it is tangentially related, but is anyone aware of a way to route traffic on a specific port through a VPN while leaving other ports open? I have spent days looking for a solution to this and haven’t found any concrete answers. Hardware, software, anything.

13 comments

symlinkk

Reply
oneplane  4 years ago

Yes, that is possible but generally not natively in most applications and end-user operating systems.

Without native support, traffic control like that requires something like pf or iptables to managed the traffic you want to treat differently. This means something like an outbound firewall that does a different NAT or different route or different redirect (generally packet rewriting). If you want to scope it to more than just a port or IP (or a range of them) and be specific to an application, you'd be needing some type of socket filter which works at the socket level in the OS. Applications generally use sockets to interface with the network, and those sockets are provided by the OS and thus it can control the aspects of those.

Without those, you can also have a dedicated interface for the 'special' traffic. Some applications allow you to specify an outgoing interface, for those you can have them use a specific interface and have a firewall rule that redirects that port. Others don't, and you'd have to encapsulate them in a namespace (i.e. a docker container) or VM which then 'creates' that dedicated interface your application would have to use. Then you can pipe that interface through your packet filter of choice and achieve the same thing.

Alternatively you can pipe all of the traffic of such a 'packaged' setup through your VPN. Since you'll only be running your application inside that configuration only it would be affected.

Today, when I find myself in a scenario where I need some of this, I either have created a situation that is problematic to begin with (i.e. trying something silly that shouldn't be done in the first place) or I'm trying to simulate something like a L2 protocol over an L3 VPN for remote debugging. I've found that everything in the first category generally is a waste of time to work with anyway.

  • symlinkk  4 years ago

    For your first suggestion, the outbound firewall, is there an easy way of doing this on a Raspberry Pi?

    • oneplane  4 years ago

      Yes, you can install OpenWRT or OpnSense on a Raspberry Pi. If you don't want to replace your current OS on the Pi, you'll have to manually work with iptables (if you use linux) or pf (if you use BSD).

      Schematically, your old/current situation:

        ┌─────────────┐         ┌──────────┐
  │             │         │          │
  │ LAN / Modem ├─────────┤ Computer │
  │             │         │          │
  └─────────────┘         └──────────┘

      New situation:

        ┌─────────────┐         ┌──────────┐
  │             │         │          │
  │ LAN / Modem ├─────────┤ Firewall │
  │             │         │          │
  └─────────────┘         └─────┬────┘
                                │
                                │
                                │
                          ┌─────┴────┐
                          │          │
                          │ Computer │
                          │          │
                          └──────────┘

      The lines between the boxes would represent network connections, i.e. ethernet connections. WiFi would work the same way.

      (slight repetition:) the reason you'd use a firewall external to your PC is that it makes it impossible for any application to 'bypass' it since it doesn't actually know it is there. There are of course no guarantees as no software is perfect and firewalls are software too. But it's a whole lot closer to actually doing what you want it to than some random desktop application.

      Technically you could also add a second interface on your computer and give it the option to completely bypass the firewall but that only helps if you can restrict your application of choice to only go out the firewalled interface.

      In the new example, the Firewall has two network interfaces, but technically it can be done with only 1 interface if you have a network switch with VLAN support. For a Raspberry Pi you'd need a USB-Ethernet adapter for that second interface.

      For OpnSense there are many examples; i.e. last year's release on a Pi 3: https://forum.opnsense.org/index.php?topic=14875.60

      You can also run the latest release and a different Pi, i.e. a 4B. NanoPi works too.

      OpenWRT has manuals too: https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi

yonixw  4 years ago

I did something similar with docker. I ran both OpenVPN client and SSH client inside a docker, so only the SSH client would be affected by the OpenVPN controlling the container network. And by telling the SSH client to port forward, and by exposing the same port forward from the docker to the local computer, I could use it to travel through the VPN while all other ports on the local computer were unaffected.

Here is my code for reference: https://github.com/yonixw/ssh-vpn-docker

  • symlinkk  4 years ago

    According to your README you require NET_ADMIN permissions and you are mapping the host /dev/net/tun into the container. Doesn’t this mean you are affecting the host network as well? Sorry not super familiar with Docker’s security model

b112  4 years ago

This is all about routing, and thus, OS specific.

On Linux, you can mark packets, and use multirouting I'd think.