VPN over one interface, everything else over another

So guys, I need help from all you fancy IP-Tables and Routing experts ;)!

I have the following situation:
I’m using my notebook to go to customers. I then often just connect my notebook to their internal network and use it to access the internet. However my mails etc. are stored on a central server in my office, which I can access using VPN.
My problem is, that I often can’t build the VPN-Tunnel, or it disconnects all the time when I use the customers network. However - no problem - I have an UMTS card which I then use to connect to my office using the VPN-Tunnel.
However, as soon as I do that, all traffic to the “normal” Internet also uses my UMTS card, which I do not want.

So how can I tell the Network-Stack to use my UMTS card only for the VPN traffic, and for the rest use the normal ethernet?

Any help would be appreciated :slight_smile:

On Thu, 2008-08-14 at 07:36 +0000, Viras wrote:
> So guys, I need help from all you fancy IP-Tables and Routing experts
> ;)!
>
> I have the following situation:
> I’m using my notebook to go to customers. I then often just connect my
> notebook to their internal network and use it to access the internet.
> However my mails etc. are stored on a central server in my office,
> which I can access using VPN.
> My problem is, that I often can’t build the VPN-Tunnel, or it
> disconnects all the time when I use the customers network. However - no
> problem - I have an UMTS card which I then use to connect to my office
> using the VPN-Tunnel.
> However, as soon as I do that, all traffic to the “normal” Internet
> also uses my UMTS card, which I do not want.
>
> So how can I tell the Network-Stack to use my UMTS card only for the
> VPN traffic, and for the rest use the normal ethernet?

One easy cheat is to define a proxy on your network and use that.
That’s pretty simple anyhow.

>
> Any help would be appreciated :slight_smile:

Even doing what I just said constitutes a security violation
for many companies and is considered “split” tunneling under
VPN.

Sounds like you are dealing with a default route beeing set to the tunnel as soon as the UMTS card dials in.

  • Your tunnel-network is not allowed to be default gateway
  • Your UMTS card is not allowed to be default gateway

have you tried to simply add a route for the company network to the company connected network card?

Well what I tried is the following:

route add default gw 10.64.1.201

10.64.1.201 is the default gw of the company network. However as soon as I do that, I can’t use my UMTS card for the VPN anymore :)!

On Thu, 21 Aug 2008 07:26:01 GMT
Viras <Viras@no-mx.forums.opensuse.org> wrote:

>
> Well what I tried is the following:
>
> route add default gw 10.64.1.201
>
> 10.64.1.201 is the default gw of the company network. However as soon
> as I do that, I can’t use my UMTS card for the VPN anymore :)!
>
>

You don’t want it to be your ‘default’ gateway.

route add gw 10.64.1.0 dev [network vpn device]

This leaves the ‘normal’ routing alone, so that everything goes to their
networks as expected, with the exception of packets for the 10.64.1.x network, which get sent to the vpn network.

Loni


L R Nix
lornix@lornix.com
man pages!

On Fri, 22 Aug 2008 03:41:03 GMT
L R Nix <lornix@lornix.com> wrote:

> On Thu, 21 Aug 2008 07:26:01 GMT
> Viras <Viras@no-mx.forums.opensuse.org> wrote:
>
> >
> > Well what I tried is the following:
> >
> > route add default gw 10.64.1.201
> >
> > 10.64.1.201 is the default gw of the company network. However as soon
> > as I do that, I can’t use my UMTS card for the VPN anymore :)!
> >
> >
>
> You don’t want it to be your ‘default’ gateway.
>
> route add gw 10.64.1.0 dev [network vpn device]
>
> This leaves the ‘normal’ routing alone, so that everything goes to their
> networks as expected, with the exception of packets for the 10.64.1.x
> network, which get sent to the vpn network.
>
> Loni
>

Whoops, read that backwards. Put the IP address of your UMTS network in the
command instead.

Loni


L R Nix
lornix@lornix.com
Darnit Jim! I can’t read!

So you brought me to the right direction. But it wasn’t exactly what I was looking for. However with your tip I got it working. Here is how:

  • I connected my notebook to the local network. Now I have access to the Inet and the local net.
  • Plugged in my UMTS card, dialed in. Now I have access to the internal network and the internet, but using my UMTS card.
  • I deleted the default gw (“route del default”)
  • I added the default gw of the local network (“route add default gw IP”)
  • I added a route to the VPN-Endpoint in my office (“route add IP dev modem0”)

Voila that’s it. Now all traffic to my VPN runs through the UMTS card, everything else uses the local network :)!

Thanks again for the help!