On Wed, 14 Oct 2015 12:52:19 -0400, Selva Nair wrote: > To test, keep it simple -- try with just one IP directly specified in > the rule > > # iptables -t mangle -I OUTPUT -d 8.8.8.8/32 -j MARK --set-mark 200 > > (to work locally this has to be in the OUTPUT chain -- see below) > > # ip rule add fwmark 200 table openvpn > > # ip rule show (make sure there are no rules that may override this > one) > > # ip route flush table openvpn # ip route add default via > <VPN-remote-IP-here> dev <vpn-tun-dev-here> table openvpn > > # ip route list table openvpn > > (review the route to be sure..) > > Test the routing with and without this one in place
I've done all the above steps just as you have told above. Finally, I gives the results here: 1- Without the route in table openvpn: $ ip route show table openvpn $ This will let the routing to 8.8.8.8 via my default route on eth0, i.e., 192.168.0.1 $ traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 192.168.0.1 (192.168.0.1) 0.563 ms 0.776 ms 1.006 ms 2 10.136.3.254 (10.136.3.254) 2.836 ms 3.067 ms 3.384 ms 3 10.136.255.252 (10.136.255.252) 2.878 ms 3.117 ms 3.343 ms 4 10.241.255.250 (10.241.255.250) 3.594 ms 3.586 ms 3.814 ms 5 10.255.255.248 (10.255.255.248) 3.066 ms 3.299 ms 3.533 ms 6 60.6.238.1 (60.6.238.1) 4.185 ms 2.177 ms 7.459 ms 7 60.6.37.37 (60.6.37.37) 7.722 ms 7.731 ms 7.718 ms 8 60.6.43.133 (60.6.43.133) 7.309 ms 60.6.43.137 (60.6.43.137) 7.256 ms 60.6.39.249 (60.6.39.249) 7.261 ms 9 61.182.179.25 (61.182.179.25) 31.483 ms 61.182.178.233 (61.182.178.233) 31.455 ms 61.182.179.25 (61.182.179.25) 31.465 ms 10 219.158.104.33 (219.158.104.33) 48.091 ms 48.288 ms 48.280 ms 11 219.158.11.34 (219.158.11.34) 57.035 ms 219.158.11.74 (219.158.11.74) 52.226 ms 219.158.96.226 (219.158.96.226) 131.646 ms 12 219.158.96.250 (219.158.96.250) 49.595 ms 219.158.19.77 (219.158.19.77) 82.537 ms 219.158.97.18 (219.158.97.18) 121.657 ms 13 219.158.3.238 (219.158.3.238) 141.312 ms 77.164 ms 219.158.102.122 (219.158.102.122) 49.565 ms 14 72.14.215.130 (72.14.215.130) 50.217 ms 69.257 ms 55.246 ms 15 209.85.248.60 (209.85.248.60) 63.849 ms 63.350 ms 55.446 ms 16 216.239.40.11 (216.239.40.11) 119.944 ms 209.85.142.185 (209.85.142.185) 128.612 ms 216.239.40.13 (216.239.40.13) 129.945 ms 17 209.85.253.89 (209.85.253.89) 143.922 ms 216.239.47.157 (216.239.47.157) 81.569 ms 81.157 ms 18 209.85.243.23 (209.85.243.23) 82.409 ms 82.655 ms 209.85.243.21 (209.85.243.21) 145.775 ms 19 * * * 20 google-public-dns-a.google.com (8.8.8.8) 156.322 ms 146.674 ms 177.636 ms werner@debian-01:~$ 2- With the route in table openvpn: $ ip route show table openvpn default via 10.211.1.34 dev tun-gfwlist This time the following command will give nothing: $ traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * See my other configurations: $ ip rule show 0: from all lookup local 32765: from all fwmark 0xc8 lookup openvpn 32766: from all lookup main 32767: from all lookup default $ sudo iptables-save # Generated by iptables-save v1.4.21 on Thu Oct 15 20:12:51 2015 *mangle :PREROUTING ACCEPT [15372:2097840] :INPUT ACCEPT [15372:2097840] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [23979:4105056] :POSTROUTING ACCEPT [23979:4105056] -A PREROUTING -i eth0 -j MARK --set-xmark 0x0/0xffffffff -A PREROUTING -i tun0 -j MARK --set-xmark 0x0/0xffffffff -A PREROUTING -i tun0 -j MARK --set-xmark 0x0/0xffffffff -A OUTPUT -d 8.8.8.8/32 -j MARK --set-xmark 0xc8/0xffffffff COMMIT # Completed on Thu Oct 15 20:12:51 2015 # Generated by iptables-save v1.4.21 on Thu Oct 15 20:12:51 2015 *filter :INPUT ACCEPT [24931:7199518] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [34265:5857128] COMMIT # Completed on Thu Oct 15 20:12:51 2015 $ sudo ifconfig eth0 Link encap:Ethernet HWaddr 0c:c4:7a:6a:f7:f0 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10602 errors:0 dropped:3 overruns:0 frame:0 TX packets:19824 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3918823 (3.7 MiB) TX bytes:4636215 (4.4 MiB) Memory:de200000-de27ffff eth1 Link encap:Ethernet HWaddr 0c:c4:7a:6a:f7:f1 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Memory:de100000-de17ffff lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:11343 errors:0 dropped:0 overruns:0 frame:0 TX packets:11343 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1158233 (1.1 MiB) TX bytes:1158233 (1.1 MiB) tun-gfwlist Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.211.1.33 P-t-P:10.211.1.34 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:611 errors:0 dropped:0 overruns:0 frame:0 TX packets:90 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:191187 (186.7 KiB) TX bytes:5400 (5.2 KiB) Furthermore, the following command will failed: $ dig twitter.com @8.8.8.8 ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> twitter.com @8.8.8.8 ;; global options: +cmd ;; connection timed out; no servers could be reached It's well known that the 8.8.8.8 is google's public DNS server. If I do the following flush command: $ sudo ip route flush table openvpn And the dig command will show as follows: $ dig twitter.com @8.8.8.8 ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> twitter.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20908 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;twitter.com. IN A ;; ANSWER SECTION: twitter.com. 2900 IN A 159.106.121.75 ;; Query time: 56 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Oct 15 20:16:07 CST 2015 ;; MSG SIZE rcvd: 56 This resolve result is erroneous due to the gfw's dns posioning of china. But, I can get the correct result as follows: $ dig twitter.com @8.8.8.8 +tcp ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> twitter.com @8.8.8.8 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28998 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;twitter.com. IN A ;; ANSWER SECTION: twitter.com. 48 IN A 104.244.42.1 twitter.com. 48 IN A 104.244.42.129 ;; Query time: 82 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Oct 15 20:19:14 CST 2015 ;; MSG SIZE rcvd: 72 Any hints for the above issues? Regards -- .: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users