I would like a Linux system using OpenVPN client to support: 1) running applications that have network access via OpenVPN tun/tap interface, but no network access via the underlying interface (when OpenVPN interface goes down for any reason and brings down its routes); 2) running applications that have network access only via the underlying interface, even when OpenVPN tun/tap interface is up; 3) chaining OpenVPN clients (tunnel in tunnel).
All this is easily achievable with the help of Linux network namespaces: one just needs to run OpenVPN in the namespace with the underlying interface, but configure tun/tap in another namespace. Then applications in the first namespace will not see OpenVPN at all, and applications in the second namespace will not see the underlying interface; and to chain OpenVPN clients, one just runs the second client in the second namespace with its tun/tap in the third one, and so on. An almost complete implementation of this idea is available at my fork: https://github.com/OpenVPN/openvpn/compare/dea8917a...orivej:netns . The only thing missing is that redirect_default_route_to_vpn() fails because it "Cannot read current default gateway from system" and I am not sure about the proper fix. (It should just set the new gateway as the default.) To use OpenVPN with namespaces, just add some, and specify --dev-netns option. Assuming VPN server provides internet access: ip netns add abc openvpn --config CONFIF --dev-netns /run/netns/abc # List routes. ip -n abc route # Add default, as long as redirect_default_route_to_vpn() cannot do it. ip -n abc route add default via XXX ip netns exec abc ping 8.8.8.8 * * * I am aware of http://www.naju.se/articles/openvpn-netns and http://www.naju.se/articles/openvpn-netns, but these scripts are very ad-hoc and fragile, e.g. they do not support buth tun and tap devices, and their only purpose is to reimplement what do_open_tun() does after the kernel wipes all its work when the interface is moved into another namespace. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users