Re: [gentoo-user] Enable "regular" network traffic when using VPN

Tue, 19 Jun 2018 13:02:59 -0700 

On 06/19/2018 05:57 AM, Mick wrote:
Actually, I don't know if there is a way to set up multiple nameservers for corresponding name resolution in/out of the tunnel, without using a domain- specific override as you would with dnsmasq and without leaking DNS queries to the ISP if you are meant to be querying the tunnel's nameservers. 


My go to solution would be a local DNS server that decides where 
different queries go.



Yes, those VPN implementations that set up separate routing policy 
tables help to keep main and 'VPN' rules separate, which is neat and 
easy to maintain.  only contains the route from the local VPN subnet to 
the remote LAN subnet.


Yep.


Quite.  The user (or his VPN client via some NM plugin) is meant to 
add in this networkmanager IPv4/Route tab the remote LAN subnet(s) and 
enable "Use only for resources on this connection" in order to set up 
a split tunnel.  Then tun0 will only be used to tunnel connections to 
these subnets.  All other connections to the Internet or local LAN will 
go outside the tunnel, using the default local gateway.


*nod*


Given Hilco's results I'm surmising an empty table in the NM translates 
as 0.0.0.0/0 and all connections end up being routed via the VPN stack, 
but I could be wrong because I don't know what he may have entered in 
this table.


Agreed.


Yes, but leaving the routes table empty ... it seems to tunnel everything 
through it ... I don't know without trying it out myself or getting more 
info on the settings.



Ya.  This is unexpected behavior to me.  I also don't have a convenient 
way to reproduce it.



I expect you can set up a subnet here and from this the NM will configure 
the route accordingly to make it go through the VPN stack.


That is the expected behavior.


IMHO the lack of additional routes mean that nothing other than the VPN 
link itself should be routed through the VPN.



Is this something I can manipulate via resolv.conf on the local PC 
(without a local resolver) to make sure DNS searches meant for the VPN 
stack are tunneled to the remote nameservers not leaked outside it?


I don't know of a good way to do this without a local DNS server.


PS. Thanks for your write up on network namespaces.  I'll look into this 
in more depth when I get a minute, because I would like to contain/isolate 
desktop applications I inherently mistrust - e.g. Skype.



You're welcome.  I'm glad to hear people benefiting from it.  Feel free 
to reach out if you have any questions.




--
Grant. . . .
unix || die
























					Reply via email to