[Ubuntu 16.04] Trying to bypass VPN using iptables

WhatName · July 17, 2017, 1:55am

Hi,

I have a mounted folder and an OpenVPN client setup on a new Ubuntu install. Everything’s working well, but I’m trying to get rclone to bypass the VPN. I have the following script in place that bypasses the VPN for certain ports, but rclone looks to use random ports. Is there a way to define the port range for rclone to use, or setup a rule based on the process that’s opening the port? Any help would be greatly appreciated!

# ---ENABLING KERNEL OPTIONS
sudo sysctl -w net.ipv4.conf.ens3.rp_filter=0
sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
sudo sysctl -w net.ipv4.conf.default.rp_filter=0
sudo sysctl -w net.ipv4.conf.lo.rp_filter=0 

sudo sysctl -w net.ipv4.conf.all.forwarding=1
sudo sysctl -w net.ipv4.conf.default.forwarding=1
sudo sysctl -w net.ipv4.conf.ens3.forwarding=1
sudo sysctl -w net.ipv4.conf.lo.forwarding=1
sudo sysctl -w net.ipv4.conf.tun0.forwarding=1

sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.default.forwarding=1
sudo sysctl -w net.ipv6.conf.ens3.forwarding=1
sudo sysctl -w net.ipv6.conf.lo.forwarding=1
sudo sysctl -w net.ipv6.conf.tun0.forwarding=1

sudo sysctl -w net.ipv4.tcp_fwmark_accept=1

# ---CLEAR ALL FIREWALL RULES
iptables -F
iptables -t mangle -F
iptables -t nat -F

# ---FLSUH EXISTING TABLE 101 + cache
ip route flush table 101
ip route flush cache

#--- DEL IF EXISTS AND ADD RULE
ip rule del fwmark 2 table 101
ip rule add fwmark 2 table 101

#--- CREATE TABLE 101
ip route add table 101 default via 192.168.0.1 dev ens3
ip route add table 101 192.168.0.0/24 dev ens3  proto kernel  scope link  src 192.168.0.144

#---  PORT FORWARD TO TABLE 101

# SETTING MASQUERADE FOR OUTPUT
iptables --table nat --append POSTROUTING -o ens3 -j MASQUERADE

# VPN BYPASS!
# SSH
iptables -t mangle -A PREROUTING -p tcp --dport 22             -j MARK --set-mark 2

# PLEX
iptables -t mangle -A OUTPUT     -p tcp --dport  32400         -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport  32400         -j MARK --set-mark 2

# HTTP S
iptables -t mangle -A PREROUTING -p tcp --dport 80             -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport 443            -j MARK --set-mark 2

# FTP
iptables -t mangle -A PREROUTING -p tcp --dport 21             -j MARK --set-mark 2

# YOU NEED TO SET UP MIN/MAX PORT IN VSFTPD
iptables -t mangle -A PREROUTING -p tcp --dport 13000:13100    -j MARK --set-mark 2
iptables -t mangle -A OUTPUT     -p tcp --sport 21             -j MARK --set-mark 2

#DELUGE LOCAL only from LOCAL NETWORK IPs
iptables -t mangle -A PREROUTING -p tcp --dport 58846   -s 192.168.0.0/24        -j MARK --set-mark 2

# DELUGE WEB GUI
iptables -t mangle -A PREROUTING -p tcp --dport 8112             -j MARK --set-mark 2

calisro · July 17, 2017, 1:24pm

You could run rclone as a separate user and then mark traffic from that user in iptables how every you like.

iptables -t mangle -A OUTPUT ! --dest $LANIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x2

ncw · July 18, 2017, 10:45am

That is a great idea.

You could alternatively work out what the IPs of the cloud providers you are using and bypass traffic to those. Do a run of rclone and check netstat -tuanp | grep rclone to see. Some cloud providers use multiple IPs so it might take a few tries to get them all.

WhatName · July 19, 2017, 11:25am

Thank you both for the help! I got it working by:

Making a new “rclone” user and using it to mount rclone.
Added the following into my original script:

iptables -t mangle -A OUTPUT -m owner --uid-owner rclone -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport 433 -j MARK --set-mark 2

My bandwidth while using rclone just jumped from 5 MB/s to 30 MB/s!

Mark_Koval · September 17, 2018, 8:36am

You can find a bunch of good guides on the Internet. And I believe you can find the whole site dedicated to the topic. Here’s the link, for instance.

mark_hascole · January 9, 2019, 10:20am

Thanks, a buddy for sharing this helpful source,
However, You can visit: https://www.linuxquestions.org/questions/linux-networking-3/selective-routing-[to-bypass-vpn-for-most]-4175501958/ , May it helps you.

But if you are facing problem in choosing right VPN you can visit: https://www.reviewsdir.com

Animosity022 · January 9, 2019, 2:24pm

I do it somewhat like that but I have a VPN user I have setup and everything that user runs goes through the VPN, which is how I get all my Torrent traffic through the VPN only.

github.com

animosity22/homescripts/blob/master/OPENVPN.MD

# OPENVPN.MD

This is my configuration and setup for my OpenVPN client on my Linux box. My goal is to setup a specific user and route all traffic for that user through the VPN I have setup.

I based a lot of my initial setup on this [guide](https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/) over at HTPCGuides.com and made some adjustments for my configuration that works and met my needs.

## Installation

```bash
apt-get install openvpn sudo apt-utils iptables curl resolvconf -y
cd /etc/openvpn
wget https://github.com/animosity22/homescripts/blob/master/etc/openvpn/openvpn.conf
wget https://github.com/animosity22/homescripts/blob/master/etc/openvpn/iptables.sh
wget https://github.com/animosity22/homescripts/blob/master/etc/openvpn/routing.sh
wget https://github.com/animosity22/homescripts/blob/master/etc/openvpn/update-resolv-conf
```

- Modify the openvpn.conf file and other files to suite your networking needs. My internal network is 192.168.1.0/24 and my server is 192.168.1.30. rTorrent is configured to port forward on 49234 and my iptables rules are configured for that.
- Update login.txt with the proper password information

This file has been truncated. show original

calisro · January 9, 2019, 4:29pm

I do similar except I force all DNS queries to route via iptables instead of adding options into openvpn. I felt it was safer.

# send DNS explicatly for $VPNUSER
iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner $VPNUSER -j DNAT --to-destination 4.2.2.2
iptables -t nat -A OUTPUT -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j DNAT --to-destination 4.2.2.2

Animosity022 · January 9, 2019, 4:34pm

I route all my DNS internally via SSL to get around any of that so no snooping