[Ubuntu 16.04] Trying to bypass VPN using iptables


#1

Hi,

I have a mounted folder and an OpenVPN client setup on a new Ubuntu install. Everything’s working well, but I’m trying to get rclone to bypass the VPN. I have the following script in place that bypasses the VPN for certain ports, but rclone looks to use random ports. Is there a way to define the port range for rclone to use, or setup a rule based on the process that’s opening the port? Any help would be greatly appreciated!

# ---ENABLING KERNEL OPTIONS
sudo sysctl -w net.ipv4.conf.ens3.rp_filter=0
sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
sudo sysctl -w net.ipv4.conf.default.rp_filter=0
sudo sysctl -w net.ipv4.conf.lo.rp_filter=0 

sudo sysctl -w net.ipv4.conf.all.forwarding=1
sudo sysctl -w net.ipv4.conf.default.forwarding=1
sudo sysctl -w net.ipv4.conf.ens3.forwarding=1
sudo sysctl -w net.ipv4.conf.lo.forwarding=1
sudo sysctl -w net.ipv4.conf.tun0.forwarding=1

sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.default.forwarding=1
sudo sysctl -w net.ipv6.conf.ens3.forwarding=1
sudo sysctl -w net.ipv6.conf.lo.forwarding=1
sudo sysctl -w net.ipv6.conf.tun0.forwarding=1

sudo sysctl -w net.ipv4.tcp_fwmark_accept=1

# ---CLEAR ALL FIREWALL RULES
iptables -F
iptables -t mangle -F
iptables -t nat -F

# ---FLSUH EXISTING TABLE 101 + cache
ip route flush table 101
ip route flush cache

#--- DEL IF EXISTS AND ADD RULE
ip rule del fwmark 2 table 101
ip rule add fwmark 2 table 101

#--- CREATE TABLE 101
ip route add table 101 default via 192.168.0.1 dev ens3
ip route add table 101 192.168.0.0/24 dev ens3  proto kernel  scope link  src 192.168.0.144

#---  PORT FORWARD TO TABLE 101

# SETTING MASQUERADE FOR OUTPUT
iptables --table nat --append POSTROUTING -o ens3 -j MASQUERADE

# VPN BYPASS!
# SSH
iptables -t mangle -A PREROUTING -p tcp --dport 22             -j MARK --set-mark 2

# PLEX
iptables -t mangle -A OUTPUT     -p tcp --dport  32400         -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport  32400         -j MARK --set-mark 2

# HTTP S
iptables -t mangle -A PREROUTING -p tcp --dport 80             -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport 443            -j MARK --set-mark 2

# FTP
iptables -t mangle -A PREROUTING -p tcp --dport 21             -j MARK --set-mark 2

# YOU NEED TO SET UP MIN/MAX PORT IN VSFTPD
iptables -t mangle -A PREROUTING -p tcp --dport 13000:13100    -j MARK --set-mark 2
iptables -t mangle -A OUTPUT     -p tcp --sport 21             -j MARK --set-mark 2

#DELUGE LOCAL only from LOCAL NETWORK IPs
iptables -t mangle -A PREROUTING -p tcp --dport 58846   -s 192.168.0.0/24        -j MARK --set-mark 2

# DELUGE WEB GUI
iptables -t mangle -A PREROUTING -p tcp --dport 8112             -j MARK --set-mark 2

#2

You could run rclone as a separate user and then mark traffic from that user in iptables how every you like.

iptables -t mangle -A OUTPUT ! --dest $LANIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x2


#3

That is a great idea.

You could alternatively work out what the IPs of the cloud providers you are using and bypass traffic to those. Do a run of rclone and check netstat -tuanp | grep rclone to see. Some cloud providers use multiple IPs so it might take a few tries to get them all.


#4

Thank you both for the help! I got it working by:

  1. Making a new “rclone” user and using it to mount rclone.

  2. Added the following into my original script:

    iptables -t mangle -A OUTPUT -m owner --uid-owner rclone -j MARK --set-mark 2
    iptables -t mangle -A PREROUTING -p tcp --dport 433 -j MARK --set-mark 2

My bandwidth while using rclone just jumped from 5 MB/s to 30 MB/s!


#6

You can find a bunch of good guides on the Internet. And I believe you can find the whole site dedicated to the topic. Here’s the link, for instance.


#7

Thanks, a buddy for sharing this helpful source,
However, You can visit: https://www.linuxquestions.org/questions/linux-networking-3/selective-routing-[to-bypass-vpn-for-most]-4175501958/ , May it helps you.

But if you are facing problem in choosing right VPN you can visit: https://www.reviewsdir.com


#8

I do it somewhat like that but I have a VPN user I have setup and everything that user runs goes through the VPN, which is how I get all my Torrent traffic through the VPN only.


#9

I do similar except I force all DNS queries to route via iptables instead of adding options into openvpn. I felt it was safer.

# send DNS explicatly for $VPNUSER
iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner $VPNUSER -j DNAT --to-destination 4.2.2.2
iptables -t nat -A OUTPUT -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j DNAT --to-destination 4.2.2.2

#10

I route all my DNS internally via SSL to get around any of that so no snooping :slight_smile: