ref: b609977fb14b1f6da23d14a3537b24a1621a7a56 vpn-documentation/SOURCE_ROUTING.md -rw-r--r-- 4.5 KiB
b609977fFrançois Kooman additional comments 4 months ago

#title: Source Routing description: Setup Source/Policy Routing category: advanced


There are a number of situations to do source routing or policy routing.

  1. You already have a dedicated NAT router, i.e. CGNAT ("Carrier Grade NAT");
  2. You have a (layer 2) connection to the target location from your VPN box where the VPN traffic needs to be sent over, i.e. when the VPN server is located outside the network where the traffic needs to go.

These require that you do not send the traffic from the VPN clients over the VPN server's default gateway.

Luckily, it is relatively easy to fix. We document this for CentOS (and Fedora). We created a physical test setup similar to what you see below.

                          | Router |
                               |            |
      .--------.          .--------.
      | Client |--------->| Switch |<-------------------------.
      '--------'          '--------'                          |
  VPN IP:           ^                              |
                               |                              |
                               |                              |
        |       |
                        .------------.                     .-----.
                        | VPN Server |-------------------->| NAT |
                        '------------'                     '-----'


  1. Your VPN clients get IP addresses assigned from the and fd00:4242:4242:4242::/64 pools, the VPN server has and fd00:4242:4242:4242::1 on the tun0 device;
  2. A network connection between the VPN box and the NAT router exists through another interface, e.g. eth1:
    • the VPN box has the IP addresses and fd00:1010:1010:1010::100 on this network;
    • the remote NAT router has the IP addresses and fd00:1010:1010:1010::1 on this network;
  3. You installed the VPN server using deploy_centos.sh or deploy_fedora.sh.
  4. The network where you route your client traffic over has static routes back to your VPN server:
    • There is an IPv4 static route for via;
    • There is an IPv6 static route for fd00:4242:4242:4242::/64 via fd00:1010:1010:1010::100;

#Source Routing

We'll need to add a new routing table in /etc/iproute2/rt_tables, e.g.:

200     vpn


First we test it manually, before making these rules permanent:

$ sudo ip -4 rule add to lookup main
$ sudo ip -4 rule add from lookup vpn
$ sudo ip -6 rule add to fd00:4242:4242:4242::/64 lookup main
$ sudo ip -6 rule add from fd00:4242:4242:4242::/64 lookup vpn

The to rules are needed to make sure traffic between VPN clients uses the main table so traffic between VPN clients remains possible (if allowed by the firewall).


First we test it manually before making these routes permanent:

$ sudo ip -4 ro add default via table vpn
$ sudo ip -6 ro add default via fd00:1010:1010:1010::1 table vpn

#Making it permanent

# echo 'to lookup main' >/etc/sysconfig/network-scripts/rule-eth1
# echo 'from lookup vpn' >/etc/sysconfig/network-scripts/rule-eth1
# echo 'to fd00:4242:4242:4242::/64 lookup main' >/etc/sysconfig/network-scripts/rule6-eth1
# echo 'from fd00:4242:4242:4242::/64 lookup vpn' >/etc/sysconfig/network-scripts/rule6-eth1
# echo 'default via table vpn' > /etc/sysconfig/network-scripts/route-eth1
# echo 'default via fd00:1010:1010:1010::1 table vpn' > /etc/sysconfig/network-scripts/route6-eth1

When you use NetworkManager you need to install the package NetworkManager-dispatcher-routing-rules.noarch.

It is smart to reboot your system to see if all comes up as expected:

$ ip -4 rule show table vpn
32765:	from lookup vpn 
$ ip -4 ro show table vpn
default via dev eth1 
$ ip -6 rule show table vpn
32765:	from fd00:4242:4242:4242::/64 lookup vpn 
$ ip -6 ro show table vpn
default via fd00:1010:1010:1010::1 dev eth1 metric 1024 pref medium


See the firewall documentation on how to update your firewall as needed.