Re: Split tunnelling
On Wed, 2018-08-22 at 13:59 -0700, Samuel Sieb wrote: > I would suggest trying to get your own openvpn config working if > possible. There might be a script that the binary uses to configure the > routing, see if you can find that. Try running "strings" on the binary. > You could also just create your own script that starts up the VPN and > then modifies the routing table. Remove those first two entries and > then add entries for whatever range you do want to go over the VPN. Yes, that seems to be one option. Another is to use network namespaces (ip-nets(8)) to isolate the VPN- using app from everything else. There are several scripts out there to do this but none of them run directly on Fedora, so some more digging is required. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/WCQEBZ4T22FZJ6KFSSOW5FCLMPU7356U/
Re: Split tunnelling
On Thu, 2018-08-23 at 09:04 +0200, Federico Bruni wrote: > > Il giorno mar 21 ago 2018 alle 11:46, Patrick O'Callaghan > ha scritto: > > On Tue, 2018-08-21 at 09:10 +0200, Federico Bruni wrote: > > > > > > Il giorno lun 20 ago 2018 alle 14:03, Patrick O'Callaghan > > > ha scritto: > > > > Has anyone got this to work in Fedora? To be clear, split > > > tunnelling > > > > is > > > > when network traffic to some destinations (or for some apps) is > > > > tunnelled over a VPN, while the rest of the traffic goes through > > > > normal > > > > channels. I've tried messing with network namespaces, which would > > > seem > > > > to be the way to go, but not managed to get everything lined up so > > > > far. > > > > All the howto's I've seen are for various flavours of Ubuntu. > > > > > > > > I guess I'm asking if anyone has already done the work and feels > > > like > > > > sharing it. > > > > > > > > > > If you use NetworkManager, you can check the option "Use this > > > connection only for resources on its network", in the IPv4 tab of > > > the > > > VPN settings. > > > > I do use NM, but I'm not seeing that option, at least under KDE. I'll > > look using Gnome just to be sure but it seems unlikely that they would > > be different. > > > > Strange... this option has been present for a long time. > Did you install NetworkManager-openvpn package? > Are you using Fedora 28? As I explained later, I hadn't seen the option because it was off the bottom of the window. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/MD2JF6MHUWIA2ZHHWZLM7RSCLZNZITIC/
Re: Split tunnelling
Il giorno mar 21 ago 2018 alle 11:46, Patrick O'Callaghan ha scritto: On Tue, 2018-08-21 at 09:10 +0200, Federico Bruni wrote: Il giorno lun 20 ago 2018 alle 14:03, Patrick O'Callaghan ha scritto: > Has anyone got this to work in Fedora? To be clear, split tunnelling > is > when network traffic to some destinations (or for some apps) is > tunnelled over a VPN, while the rest of the traffic goes through > normal > channels. I've tried messing with network namespaces, which would seem > to be the way to go, but not managed to get everything lined up so > far. > All the howto's I've seen are for various flavours of Ubuntu. > > I guess I'm asking if anyone has already done the work and feels like > sharing it. > If you use NetworkManager, you can check the option "Use this connection only for resources on its network", in the IPv4 tab of the VPN settings. I do use NM, but I'm not seeing that option, at least under KDE. I'll look using Gnome just to be sure but it seems unlikely that they would be different. Strange... this option has been present for a long time. Did you install NetworkManager-openvpn package? Are you using Fedora 28? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/ZXOUFDJCHDLP4KAG5JY7XHUED543EOUK/
Re: Split tunnelling
On 08/23/18 09:15, Samuel Sieb wrote: > On 08/22/2018 02:56 PM, Ed Greshko wrote: >> I've never been a fan of the "route" command. >> >> How about the output of "netstat -rn" instead? In my case... > > The output is almost identical except that route gives you the metric as > well. > What's wrong with the route command other than it is deprecated? netstat is > also > deprecated. What do you use for creating routes? Yes. I wasn't thinking. I use "ip" but do slip into old habits from time to time. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/KCTZ6OCRUWIPHN7Q5NUDTDSDMXFR3IDO/
Re: Split tunnelling
On 08/22/2018 04:49 PM, Mike Wright wrote: On 08/22/2018 01:59 PM, Samuel Sieb wrote: On 08/22/2018 08:59 AM, Patrick O'Callaghan wrote: This is the routing table with the VPN enabled (the virbr stuff is from a VM, not relevant here): (I rearranged the table.) $ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.87.0.53 128.0.0.0 UG 0 0 0 tun0 128.0.0.0 10.87.0.53 128.0.0.0 UG 0 0 0 tun0 I've seen this used before. Basically it matches everything so it "front runs" the default route without having to replace it. I thought it was pretty clever. You never have to replace the default route, just provide another one that has a lower metric. Although doing it this way uses a more specific match so it doesn't matter what the metric is. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/TYXKNOFXJIVWLEZMEV4N6TW4ENC54IW7/
Re: Split tunnelling
On 08/22/2018 02:56 PM, Ed Greshko wrote: I've never been a fan of the "route" command. How about the output of "netstat -rn" instead? In my case... The output is almost identical except that route gives you the metric as well. What's wrong with the route command other than it is deprecated? netstat is also deprecated. What do you use for creating routes? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/A3NF3NQC5DZCII7HB56IZKHJ33QQKSSK/
Re: Split tunnelling
On 08/22/2018 01:59 PM, Samuel Sieb wrote: On 08/22/2018 08:59 AM, Patrick O'Callaghan wrote: This is the routing table with the VPN enabled (the virbr stuff is from a VM, not relevant here): (I rearranged the table.) $ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.87.0.53 128.0.0.0 UG 0 0 0 tun0 128.0.0.0 10.87.0.53 128.0.0.0 UG 0 0 0 tun0 I've seen this used before. Basically it matches everything so it "front runs" the default route without having to replace it. I thought it was pretty clever. :m ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/CVZNBV5V36CZ2ZNORRSULMEP7AIQELNJ/
Re: Split tunnelling
On 08/22/18 23:59, Patrick O'Callaghan wrote: > This is the routing table with the VPN enabled (the virbr stuff is from > a VM, not relevant here): I've never been a fan of the "route" command. How about the output of "netstat -rn" instead? In my case... No VPN [egreshko@meimei ~]$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp2s0 0.0.0.0 192.168.2.5 0.0.0.0 UG 0 0 0 wlp0s29u1u2 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp0s29u1u2 VPN [egreshko@meimei ~]$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 25.0.8.1 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp2s0 0.0.0.0 192.168.2.5 0.0.0.0 UG 0 0 0 wlp0s29u1u2 25.0.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 104.244.157.160 192.168.1.1 255.255.255.255 UGH 0 0 0 enp2s0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s0 192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 enp2s0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp0s29u1u2 -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/VVQDQIF26HZPI2C3ZCGNNYQY6NMLEXAF/
Re: Split tunnelling
On 08/23/18 05:56, Ed Greshko wrote: > On 08/22/18 23:59, Patrick O'Callaghan wrote: >> This is the routing table with the VPN enabled (the virbr stuff is from >> a VM, not relevant here): > > I've never been a fan of the "route" command. > > How about the output of "netstat -rn" instead? In my case... > > No VPN > > [egreshko@meimei ~]$ netstat -rn > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt Iface > 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 > enp2s0 > 0.0.0.0 192.168.2.5 0.0.0.0 UG 0 0 0 > wlp0s29u1u2 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > enp2s0 > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 > wlp0s29u1u2 > > VPN > > [egreshko@meimei ~]$ netstat -rn > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt Iface > 0.0.0.0 25.0.8.1 0.0.0.0 UG 0 0 0 tun0 > 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 > enp2s0 > 0.0.0.0 192.168.2.5 0.0.0.0 UG 0 0 0 > wlp0s29u1u2 > 25.0.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 > 104.244.157.160 192.168.1.1 255.255.255.255 UGH 0 0 0 > enp2s0 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > enp2s0 > 192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 > enp2s0 > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 > wlp0s29u1u2 > Come to think of it, the ip command is even better as it includes the "metric". No VPN [egreshko@meimei ~]$ ip route show default via 192.168.1.1 dev enp2s0 proto static metric 100 default via 192.168.2.5 dev wlp0s29u1u2 proto dhcp metric 600 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100 192.168.2.0/24 dev wlp0s29u1u2 proto kernel scope link src 192.168.2.190 metric 600 [egreshko@meimei ~]$ ip route show default via 25.0.8.1 dev tun0 proto static metric 50 default via 192.168.1.1 dev enp2s0 proto static metric 100 default via 192.168.2.5 dev wlp0s29u1u2 proto dhcp metric 600 25.0.8.0/24 dev tun0 proto kernel scope link src 25.0.8.3 metric 50 174.127.111.177 via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100 192.168.1.1 dev enp2s0 proto static scope link metric 100 192.168.2.0/24 dev wlp0s29u1u2 proto kernel scope link src 192.168.2.190 metric 600 With a metric of 50 the tun0 link is preferred. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/XDUSNCUOXXYBTPGJ72I6R2ARXRHGDBGA/
Re: Split tunnelling
On 08/22/2018 08:59 AM, Patrick O'Callaghan wrote: This is the routing table with the VPN enabled (the virbr stuff is from a VM, not relevant here): (I rearranged the table.) $ route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 10.87.0.53 128.0.0.0 UG0 00 tun0 128.0.0.0 10.87.0.53 128.0.0.0 UG0 00 tun0 This is very weird routing! The first one matches any address that doesn't have the highest bit set and the second one matches any address that does. Together they match everything. 10.87.0.1 10.87.0.53 255.255.255.255 UGH 0 00 tun0 10.87.0.53 0.0.0.0 255.255.255.255 UH0 00 tun0 These are strange too. default ZyXEL-router0.0.0.0 UG10000 enp3s0 45.56.130.4 ZyXEL-router255.255.255.255 UGH 0 00 enp3s0 192.168.1.0 0.0.0.0 255.255.255.0 U 10000 enp3s0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 00 virbr0 I would suggest trying to get your own openvpn config working if possible. There might be a script that the binary uses to configure the routing, see if you can find that. Try running "strings" on the binary. You could also just create your own script that starts up the VPN and then modifies the routing table. Remove those first two entries and then add entries for whatever range you do want to go over the VPN. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/L4CESMR4NGXT4JHXKTOWLVLWPJROQOWO/
Re: Split tunnelling
On Tue, 2018-08-21 at 15:15 -0700, Samuel Sieb wrote: > On 08/21/2018 09:08 AM, Patrick O'Callaghan wrote: > > It works as far as it goes, but still no split tunnel. I suspect the > > (provider-supplied *binary*) connection script is forcing all traffic > > through the tunnel. Looks like I'll have to play with OpenVPN using the > > provider's credentials and see if I can convince it to play ball. > > What is the output of the "route" command? Check for a default gateway > that is pointing to the VPN. If there is one, try removing it and see > what happens. This is the routing table with the VPN enabled (the virbr stuff is from a VM, not relevant here): $ route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 10.87.0.53 128.0.0.0 UG0 00 tun0 default ZyXEL-router0.0.0.0 UG10000 enp3s0 10.87.0.1 10.87.0.53 255.255.255.255 UGH 0 00 tun0 10.87.0.53 0.0.0.0 255.255.255.255 UH0 00 tun0 45.56.130.4 ZyXEL-router255.255.255.255 UGH 0 00 enp3s0 128.0.0.0 10.87.0.53 128.0.0.0 UG0 00 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 10000 enp3s0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 00 virbr0 The default points directly to the local router, as expected, but the router's address has changed. For comparison, here's the table with the VPN turned off: $ route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface default ZyXEL-router0.0.0.0 UG10000 enp3s0 192.168.1.0 0.0.0.0 255.255.255.0 U 10000 enp3s0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 00 virbr0 poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/FHCRUJWOQ2YQ6J2AWM26R32JSSFESR73/
Re: Split tunnelling
On 08/21/2018 09:08 AM, Patrick O'Callaghan wrote: It works as far as it goes, but still no split tunnel. I suspect the (provider-supplied *binary*) connection script is forcing all traffic through the tunnel. Looks like I'll have to play with OpenVPN using the provider's credentials and see if I can convince it to play ball. What is the output of the "route" command? Check for a default gateway that is pointing to the VPN. If there is one, try removing it and see what happens. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/LEHRDI5XSNI35MMQC42DYQSPGCNDVWIC/
Re: Split tunnelling
On 08/21/2018 02:49 AM, Patrick O'Callaghan wrote: On Mon, 2018-08-20 at 09:46 -0700, Samuel Sieb wrote: However, my openvpn connection only routes the private network subnets, everything else goes over the regular network connection. I'm not sure I understand what you mean by "private network subnets". You mean it does this automatically, or you configured it that way? openvpn doesn't provide a default gateway unless you put that in the config. So only the routes that I push from the server go through the VPN. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/UVURRAIU54V46VS3S35L4Y6WKFAICWLK/
Re: Split tunnelling
On 08/21/2018 04:21 AM, j.witvl...@mindef.nl wrote: VPN-server processes can push routing info, and DNS-server addresses. AFAICR systems accept three DNS-resolvers. This can be tricky. If the VPN-process pushes three resolvers, the old ones will be gone (while the tunnel exists), Thus you are unable to resolve NON-vpn-URL's. This doesn't work the way you seem to be suggesting. Even if your old DNS servers are still in the list, they won't be used. The DNS resolving system will always use the first one in the list unless it's not reachable. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/3ZO43S7ZSNRO5RFJ6VTLENH2RT4DBCH4/
Re: Split tunnelling
On Tue, 2018-08-21 at 16:44 +0100, Patrick O'Callaghan wrote: > On Tue, 2018-08-21 at 18:31 +0800, Ed Greshko wrote: > > On 08/21/18 17:46, Patrick O'Callaghan wrote: > > > On Tue, 2018-08-21 at 09:10 +0200, Federico Bruni wrote: > > > > Il giorno lun 20 ago 2018 alle 14:03, Patrick O'Callaghan > > > > ha scritto: > > > > > Has anyone got this to work in Fedora? To be clear, split tunnelling > > > > > is > > > > > when network traffic to some destinations (or for some apps) is > > > > > tunnelled over a VPN, while the rest of the traffic goes through > > > > > normal > > > > > channels. I've tried messing with network namespaces, which would seem > > > > > to be the way to go, but not managed to get everything lined up so > > > > > far. > > > > > All the howto's I've seen are for various flavours of Ubuntu. > > > > > > > > > > I guess I'm asking if anyone has already done the work and feels like > > > > > sharing it. > > > > > > > > > > > > > If you use NetworkManager, you can check the option "Use this > > > > connection only for resources on its network", in the IPv4 tab of the > > > > VPN settings. > > > > > > I do use NM, but I'm not seeing that option, at least under KDE. I'll > > > look using Gnome just to be sure but it seems unlikely that they would > > > be different. > > > > Under the IPv4 tab, click on Routes. The check box is there in KDE. > > Thanks Ed. It was hiding at the bottom of the window and I needed to > scroll to see it. It works as far as it goes, but still no split tunnel. I suspect the (provider-supplied *binary*) connection script is forcing all traffic through the tunnel. Looks like I'll have to play with OpenVPN using the provider's credentials and see if I can convince it to play ball. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/FMHSM2IKKBVHPXC5JVG746QCP5NDPCDM/
Re: Split tunnelling
On Tue, 2018-08-21 at 11:21 +, j.witvl...@mindef.nl wrote: > See comment below. > > -Original Message- > From: Patrick O'Callaghan [mailto:pocallag...@gmail.com] > Sent: dinsdag 21 augustus 2018 11:49 > To: users@lists.fedoraproject.org > Subject: Re: Split tunnelling > > On Mon, 2018-08-20 at 09:46 -0700, Samuel Sieb wrote: > > On 08/20/2018 05:03 AM, Patrick O'Callaghan wrote: > > > Has anyone got this to work in Fedora? To be clear, split tunnelling is > > > when network traffic to some destinations (or for some apps) is > > > tunnelled over a VPN, while the rest of the traffic goes through normal > > > channels. I've tried messing with network namespaces, which would seem > > > to be the way to go, but not managed to get everything lined up so far. > > > All the howto's I've seen are for various flavours of Ubuntu. > > > > I don't know about apps, namespaces might work for that but I haven't > > had any reason to try that yet. > > > > However, my openvpn connection only routes the private network subnets, > > everything else goes over the regular network connection. > > I'm not sure I understand what you mean by "private network subnets". > You mean it does this automatically, or you configured it that way? > > > The only > > tricky part, which I haven't tried to solve, is that you can't resolve > > private DNS entries from the VPN connection. This would likely be a > > problem with a work VPN, unless you let the work DNS resolve everything. > > Indeed, that could be an issue. > > Poc > > > = > " To be clear, split tunnelling is > > > when network traffic to some destinations (or for some apps) is > > > tunnelled over a VPN, while the rest of the traffic goes through normal > > > channels." > > No, not exactly. > That is more an example of the use of multiple routes. > Destination-A goes through gateway-A > Destination-B goes through gateway-B > All-else goes through default-gateway... > Either GW-A or GW-B could be VPN. > > Split-tunneling is more that transmit and receive use different tunnels, > Or traffic to SAME destination is load-balanced over multiple, parallel > tunnels. I'm following the terminology used in https://en.wikipedia.org/wiki/Split_tunneling, which is also used by my VPN provider (ExpressVPN) and others (e.g. NordVPN). (ExpressVPN actually support split-tunneling, but only for Windows and MacOS.) None of these mention load-balancing or using different tunnels for transmit and receive. Of course it wouldn't be the first time a technical term is overloaded with several meanings. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/UBHYQJXU2PYTXEOWEL73WG2PKFLWLCSL/
Re: Split tunnelling
On Tue, 2018-08-21 at 18:31 +0800, Ed Greshko wrote: > On 08/21/18 17:46, Patrick O'Callaghan wrote: > > On Tue, 2018-08-21 at 09:10 +0200, Federico Bruni wrote: > > > Il giorno lun 20 ago 2018 alle 14:03, Patrick O'Callaghan > > > ha scritto: > > > > Has anyone got this to work in Fedora? To be clear, split tunnelling > > > > is > > > > when network traffic to some destinations (or for some apps) is > > > > tunnelled over a VPN, while the rest of the traffic goes through > > > > normal > > > > channels. I've tried messing with network namespaces, which would seem > > > > to be the way to go, but not managed to get everything lined up so > > > > far. > > > > All the howto's I've seen are for various flavours of Ubuntu. > > > > > > > > I guess I'm asking if anyone has already done the work and feels like > > > > sharing it. > > > > > > > > > > If you use NetworkManager, you can check the option "Use this > > > connection only for resources on its network", in the IPv4 tab of the > > > VPN settings. > > > > I do use NM, but I'm not seeing that option, at least under KDE. I'll > > look using Gnome just to be sure but it seems unlikely that they would > > be different. > > Under the IPv4 tab, click on Routes. The check box is there in KDE. Thanks Ed. It was hiding at the bottom of the window and I needed to scroll to see it. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/2Y7S3CNGKJM5ZX7PJKJH3RQ6W5S3MLSD/
RE: Split tunnelling
See comment below. -Original Message- From: Patrick O'Callaghan [mailto:pocallag...@gmail.com] Sent: dinsdag 21 augustus 2018 11:49 To: users@lists.fedoraproject.org Subject: Re: Split tunnelling On Mon, 2018-08-20 at 09:46 -0700, Samuel Sieb wrote: > On 08/20/2018 05:03 AM, Patrick O'Callaghan wrote: > > Has anyone got this to work in Fedora? To be clear, split tunnelling is > > when network traffic to some destinations (or for some apps) is > > tunnelled over a VPN, while the rest of the traffic goes through normal > > channels. I've tried messing with network namespaces, which would seem > > to be the way to go, but not managed to get everything lined up so far. > > All the howto's I've seen are for various flavours of Ubuntu. > > I don't know about apps, namespaces might work for that but I haven't > had any reason to try that yet. > > However, my openvpn connection only routes the private network subnets, > everything else goes over the regular network connection. I'm not sure I understand what you mean by "private network subnets". You mean it does this automatically, or you configured it that way? > The only > tricky part, which I haven't tried to solve, is that you can't resolve > private DNS entries from the VPN connection. This would likely be a > problem with a work VPN, unless you let the work DNS resolve everything. Indeed, that could be an issue. Poc = " To be clear, split tunnelling is > > when network traffic to some destinations (or for some apps) is > > tunnelled over a VPN, while the rest of the traffic goes through normal > > channels." No, not exactly. That is more an example of the use of multiple routes. Destination-A goes through gateway-A Destination-B goes through gateway-B All-else goes through default-gateway... Either GW-A or GW-B could be VPN. Split-tunneling is more that transmit and receive use different tunnels, Or traffic to SAME destination is load-balanced over multiple, parallel tunnels. "> tricky part, which I haven't tried to solve, is that you can't resolve > private DNS entries from the VPN connection." VPN-server processes can push routing info, and DNS-server addresses. AFAICR systems accept three DNS-resolvers. This can be tricky. If the VPN-process pushes three resolvers, the old ones will be gone (while the tunnel exists), Thus you are unable to resolve NON-vpn-URL's. Situation can get even more complicated, when using split-horizon DNS. Same URL with internally, and externally different IP-addresses. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/IWARJZCPHY6Y6USNYS6Z7HJS72Q63LED/ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/5QHFXVZ5ZI6J6NBR4YQYEZVVK2NC544Z/
Re: Split tunnelling
On 08/21/18 17:46, Patrick O'Callaghan wrote: > On Tue, 2018-08-21 at 09:10 +0200, Federico Bruni wrote: >> Il giorno lun 20 ago 2018 alle 14:03, Patrick O'Callaghan >> ha scritto: >>> Has anyone got this to work in Fedora? To be clear, split tunnelling >>> is >>> when network traffic to some destinations (or for some apps) is >>> tunnelled over a VPN, while the rest of the traffic goes through >>> normal >>> channels. I've tried messing with network namespaces, which would seem >>> to be the way to go, but not managed to get everything lined up so >>> far. >>> All the howto's I've seen are for various flavours of Ubuntu. >>> >>> I guess I'm asking if anyone has already done the work and feels like >>> sharing it. >>> >> If you use NetworkManager, you can check the option "Use this >> connection only for resources on its network", in the IPv4 tab of the >> VPN settings. > I do use NM, but I'm not seeing that option, at least under KDE. I'll > look using Gnome just to be sure but it seems unlikely that they would > be different. Under the IPv4 tab, click on Routes. The check box is there in KDE. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/5H3CO62C3YVGNYEIZ2LXJYDUOFK6CMCT/
Re: Split tunnelling
On Mon, 2018-08-20 at 09:46 -0700, Samuel Sieb wrote: > On 08/20/2018 05:03 AM, Patrick O'Callaghan wrote: > > Has anyone got this to work in Fedora? To be clear, split tunnelling is > > when network traffic to some destinations (or for some apps) is > > tunnelled over a VPN, while the rest of the traffic goes through normal > > channels. I've tried messing with network namespaces, which would seem > > to be the way to go, but not managed to get everything lined up so far. > > All the howto's I've seen are for various flavours of Ubuntu. > > I don't know about apps, namespaces might work for that but I haven't > had any reason to try that yet. > > However, my openvpn connection only routes the private network subnets, > everything else goes over the regular network connection. I'm not sure I understand what you mean by "private network subnets". You mean it does this automatically, or you configured it that way? > The only > tricky part, which I haven't tried to solve, is that you can't resolve > private DNS entries from the VPN connection. This would likely be a > problem with a work VPN, unless you let the work DNS resolve everything. Indeed, that could be an issue. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/IWARJZCPHY6Y6USNYS6Z7HJS72Q63LED/
Re: Split tunnelling
On Tue, 2018-08-21 at 09:10 +0200, Federico Bruni wrote: > > Il giorno lun 20 ago 2018 alle 14:03, Patrick O'Callaghan > ha scritto: > > Has anyone got this to work in Fedora? To be clear, split tunnelling > > is > > when network traffic to some destinations (or for some apps) is > > tunnelled over a VPN, while the rest of the traffic goes through > > normal > > channels. I've tried messing with network namespaces, which would seem > > to be the way to go, but not managed to get everything lined up so > > far. > > All the howto's I've seen are for various flavours of Ubuntu. > > > > I guess I'm asking if anyone has already done the work and feels like > > sharing it. > > > > If you use NetworkManager, you can check the option "Use this > connection only for resources on its network", in the IPv4 tab of the > VPN settings. I do use NM, but I'm not seeing that option, at least under KDE. I'll look using Gnome just to be sure but it seems unlikely that they would be different. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/QHXDRDOUKOCQXA6JFN4SKARLTT44FUMT/
Re: Split tunnelling
Il giorno lun 20 ago 2018 alle 14:03, Patrick O'Callaghan ha scritto: Has anyone got this to work in Fedora? To be clear, split tunnelling is when network traffic to some destinations (or for some apps) is tunnelled over a VPN, while the rest of the traffic goes through normal channels. I've tried messing with network namespaces, which would seem to be the way to go, but not managed to get everything lined up so far. All the howto's I've seen are for various flavours of Ubuntu. I guess I'm asking if anyone has already done the work and feels like sharing it. If you use NetworkManager, you can check the option "Use this connection only for resources on its network", in the IPv4 tab of the VPN settings. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/T5HKZHNFBESQCFGIGVAD452WTDZ7M3PH/
Re: Split tunnelling
On 08/20/2018 05:03 AM, Patrick O'Callaghan wrote: Has anyone got this to work in Fedora? To be clear, split tunnelling is when network traffic to some destinations (or for some apps) is tunnelled over a VPN, while the rest of the traffic goes through normal channels. I've tried messing with network namespaces, which would seem to be the way to go, but not managed to get everything lined up so far. All the howto's I've seen are for various flavours of Ubuntu. I don't know about apps, namespaces might work for that but I haven't had any reason to try that yet. However, my openvpn connection only routes the private network subnets, everything else goes over the regular network connection. The only tricky part, which I haven't tried to solve, is that you can't resolve private DNS entries from the VPN connection. This would likely be a problem with a work VPN, unless you let the work DNS resolve everything. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/ZLYFNMZG4SJWFLJQXY42NM3H4CTSF7HZ/
Re: Split tunnelling
On Mon, 2018-08-20 at 14:30 +0200, None via users wrote: > You can do this with ovpn by pushing routes trough ovpn connection. Not > per app perse, I do hope I get your question the correct way. > maybe look at this: > https://wiki.archlinux.org/index.php/OpenVPN#Routing_client_traffic_through_the_server > > The documentation is from Arch, but does not differ all that much with > Fedora. [Please don't top-post] That seems to be the other way round, from what I can understand. In my case I have a (paid) VPN service with no access to the proxy side. However I may be misreading it. Thanks anyway. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/BREGJY6NAH5BZM6GBA76RPX3FENY7UUF/
Re: Split tunnelling
On Mon, 2018-08-20 at 21:36 +0800, Ed Greshko wrote: > On 08/20/18 20:03, Patrick O'Callaghan wrote: > > Has anyone got this to work in Fedora? To be clear, split tunnelling is > > when network traffic to some destinations (or for some apps) is > > tunnelled over a VPN, while the rest of the traffic goes through normal > > channels. I've tried messing with network namespaces, which would seem > > to be the way to go, but not managed to get everything lined up so far. > > All the howto's I've seen are for various flavours of Ubuntu. > > > > I guess I'm asking if anyone has already done the work and feels like > > sharing it. > > > Just a FWIW, I have not done this. But, in the past, I thought about doing > it. My > reason being that I wanted some traffic to pass through the VPN so as to > appear > originating in the US to access some video content. Things like liveTV, > Hulu, Amazon > Prime, etc. I found it easier to subscribe to a VPN service provider that > offered > proxyDNS. That's certainly one use case. Another is to keep connections to a corporate VPN separate from those for personal use. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/MBMZDQZJQ2KQDBZXLO5POXESDCCJ3ZRA/
Re: Split tunnelling
On 08/20/18 20:03, Patrick O'Callaghan wrote: > Has anyone got this to work in Fedora? To be clear, split tunnelling is > when network traffic to some destinations (or for some apps) is > tunnelled over a VPN, while the rest of the traffic goes through normal > channels. I've tried messing with network namespaces, which would seem > to be the way to go, but not managed to get everything lined up so far. > All the howto's I've seen are for various flavours of Ubuntu. > > I guess I'm asking if anyone has already done the work and feels like > sharing it. Just a FWIW, I have not done this. But, in the past, I thought about doing it. My reason being that I wanted some traffic to pass through the VPN so as to appear originating in the US to access some video content. Things like liveTV, Hulu, Amazon Prime, etc. I found it easier to subscribe to a VPN service provider that offered proxyDNS. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/E6XE5E76SGWBN6RUZGZJJRE3XR5OJKPW/
Re: Split tunnelling
Hey Poc, You can do this with ovpn by pushing routes trough ovpn connection. Not per app perse, I do hope I get your question the correct way. maybe look at this: https://wiki.archlinux.org/index.php/OpenVPN#Routing_client_traffic_through_the_server The documentation is from Arch, but does not differ all that much with Fedora. Kind regards, Maikel On 2018-08-20 14:03, Patrick O'Callaghan wrote: Has anyone got this to work in Fedora? To be clear, split tunnelling is when network traffic to some destinations (or for some apps) is tunnelled over a VPN, while the rest of the traffic goes through normal channels. I've tried messing with network namespaces, which would seem to be the way to go, but not managed to get everything lined up so far. All the howto's I've seen are for various flavours of Ubuntu. I guess I'm asking if anyone has already done the work and feels like sharing it. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/U4WMADWQ5QWGBENU2JXPWZCFR4C62DOW/ ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/CO67I6WFCCFT6FIAC4P5XANPA3OSRMSH/
Split tunnelling
Has anyone got this to work in Fedora? To be clear, split tunnelling is when network traffic to some destinations (or for some apps) is tunnelled over a VPN, while the rest of the traffic goes through normal channels. I've tried messing with network namespaces, which would seem to be the way to go, but not managed to get everything lined up so far. All the howto's I've seen are for various flavours of Ubuntu. I guess I'm asking if anyone has already done the work and feels like sharing it. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/U4WMADWQ5QWGBENU2JXPWZCFR4C62DOW/
