# partial vpn?

## logik3x

Hey, I have a box behind a NAT layer that I can't configure and I need to get access http/ftp/vnc on that box. I have a router at home running openwrt with openvpn on it and I was thinking of connecting that box to that vpn but I have limited bandwidth on that router and ftp/bittorrent (on the box) traffic shall not go through the vpn... is there a way to have a partial vpn (some ports?) or should I have an ssh tunnel always connected to that router?

The box is mainly used for torrent and file storage. Meaning that I need to have access to either vnc or webui for torrent (I use azureus because I need ssl and special encryption to bypass bandwidth shaping) ... 

Any suggestions are welcomed...  :Smile: 

----------

## mahdi1234

I have something like that on my laptop, where when connected to vpn only traffic to particular IP's to internal network goes thru tun0 and rest via eth0.

I'm using dnsmasq for it. You need to adjust start section in /etc/init.d/dnsmasq

```

start() {

        ebegin "Starting ${SVCNAME}"

        start-stop-daemon --start --exec /usr/sbin/dnsmasq \

            --pidfile /var/run/dnsmasq.pid \

            -- -x /var/run/dnsmasq.pid ${DNSMASQ_OPTS="-S /.xxx.domain.com/146.248.1.230"}

        eend $?

}

```

Where -S /.xxx.domain.com/146.248.1.230 is actually saying that traffic to xxx.domain.com and to ip 146.248.1.230 should be routed.

You need also adjust routes once in vpn so it can recognize your default router, here's my example -

```

$ cat /etc/vpn-connect

#!/bin/bash

source /sbin/functions.sh

ebegin "Connecting to the VPN"

vpnc

eend

ebegin "Modifying the routing table"

route add default gw 192.168.0.1

route add -net 146.248.18.0 netmask 255.255.255.0 dev tun0

route add -net 146.248.1.0 netmask 255.255.255.0 dev tun0

eend

einfo "Press any key to disconnect ..."

read $disconnect

ebegin "Disconnecting from the VPN"

vpnc-disconnect

eend

ebegin "Reconfiguring the default routing table"

route add default gw 192.168.0.1

eend

```

Hope this helps and can be applied to your situation with some adjustments.

----------

## logik3x

That wouldn't solve my problem as it's ip based... not port based... :/ any1?

----------

## cool_smile

I dont know how to solve your problem using VPN. But if you have access to a box behind the NAT, you can "open" ports to your box, like e.g. Skype does.

Unfortunately, I know only German article http://www.heise.de/security/artikel/82054/0 about this topic. But I can give you the name of this technique: "UDP Hole Punching". According to heise.de, it works with TCP too, but it is more complicated:

 *Quote:*   

> Der Aufbau einer TCP-Verbindung klappt jedoch auf diesem Weg nicht ohne Weiteres, da Alice die im ersten Paket von Bob gesendete Sequenznummer nicht kennt.

  (page 2)

approx:

"Doing so, the makeup of a TCP connection does not work out offhand, because Alice does not know the sequence number of Bobs first-sended package". (It it about the connection between Alice and Bob.)

If somebody has a better translation, please correct me (I'm native German).

I hope this can help you ..  :Smile: 

----------

## sschlueter

 *logik3x wrote:*   

> Hey, I have a box behind a NAT layer that I can't configure and I need to get access http/ftp/vnc on that box. I have a router at home running openwrt with openvpn on it and I was thinking of connecting that box to that vpn but I have limited bandwidth on that router and ftp/bittorrent (on the box) traffic shall not go through the vpn... is there a way to have a partial vpn (some ports?) or should I have an ssh tunnel always connected to that router?

 

The default behavior of OpenVPN is simply to set up a secure point-to-point connection between client and server but apart from that the routing tables are not modified. That means that each client and the server gets an additional private IP address. The tunnel is only used when you establish a connection to the distant endpoint of the point-to-point connection.

So you can connect to the box-behind-NAT using its OpenVPN-IP from the OpenVPN-Server (or any system that uses the OpenVPN-Server as a router). But outgoing connections from that box will not use the tunnel unless the destination IP is the server's OpenVPN-IP.

You can configure OpenVPN in a way so that all outgoing traffic of the client uses the tunnel  (automatic modification of the default gateway) but this is not the default bahavior and is not what you want.

----------

## sschlueter

 *mahdi1234 wrote:*   

> Where -S /.xxx.domain.com/146.248.1.230 is actually saying that traffic to xxx.domain.com and to ip 146.248.1.230 should be routed.

 

I think this option tells dnsmasq to query specific name servers for specific domains. So it doesn't influence routing.

----------

