# Multiple default gateway for WAN and VPN

## akabane

Hello,

I would like to use a VPN to tunnel all traffic that is going on my apache server.

I already setup the openvpn client and server and it's working great but I can not figure how to tell apache to use the VPN gateway and all the others traffic to use my WAN gateway.

For the moment when I use the VPN all all my traffic is going though it, I would like to tunnel only apache server traffic.

Is it possible under gentoo to do that ? and how ?

I read some people achieve to do that with setfib under freebsd (http://forums.freebsd.org/archive/index.php/t-3149.html), is there any equivalent to this tool under gentoo ?

Or can I achieve that with iptables and/or ip route ?

Thanks in advance for yours answers !

----------

## Yuu

Hi and welcome akabane,

Well, everything is possible with Gentoo  :Very Happy:  !

So, if I understand this well, I think you should not set the default route your VPN's gateway, but to your standard LAN gateway. With this kind of setup, only your WAN connection will be used : because you don't want that all applications to use your VPN interface. So, don't use the default in your route add default via $VPN_GATEWAY dev tun0.

Then, you should tell apache to listen only on the VPN interface, with something like Listen 10.1.2.3.80 where 10.1.2.3 is your IP inside the VPN (see ifconfig <VPN interface name>).

And as I'm not really an expert on network related topics, I'll let the professionnals reply about the technical details.

Nevertheless, good luck  :Wink: 

----------

## akabane

 *Yuu wrote:*   

> Hi and welcome akabane,
> 
> Well, everything is possible with Gentoo  !
> 
> So, if I understand this well, I think you should not set the default route your VPN's gateway, but to your standard LAN gateway. With this kind of setup, only your WAN connection will be used : because you don't want that all applications to use your VPN interface. So, don't use the default in your route add default via $VPN_GATEWAY dev tun0.
> ...

 

First of all, thanks for your answer.

I confirm you clearly understood my problem. I already tried what you suggested but with no luck :

- I made apache listen only on my tun0 interface.

- I let my default route to the WAN gateway address.

But when a client connect to the apache server, it answer by using the interface tied to the default route and not my tun0 interface.

I think I should define 1 default route for my WAN and 1 default route for my VPN but I can not manage to do it : the first default route found in routing table is always taken (which is in my point of view logical).

Under freebsd you can use 2 routing tables (one for WAN and one for VPN) and tell your program which table to used with the setfib tool.

Maybe a workaround is to make routing decision depending of the port used ? But I do not know if is it possible ... I'm currently investigating iproute2 tool for that.

I really need that setup and I do not want to be forced to switch to freebsd only for that.

I hope one gentoo network expert will be able to help me  :Smile: Last edited by akabane on Sun Mar 27, 2011 9:12 am; edited 1 time in total

----------

## Hu

Where is the client which initiates the connection to the Apache?  Is it on the far end of the VPN?  If yes, then the problem is likely that the VPN has not installed routes for all the addresses it exposes to you.  For instance, it may have connected you to a 10.0.0.0/8 network, but only installed a /24 route.  Could you show the output of ip r; ip a as seen from the server?  You can obscure your WAN IP if you want.

----------

