# VPN but only want to use for certain traffic

## Akaihiryuu

Basically, in my current apartment, I'm not provided with a public IP address.  I'm using a VPN service with OpenVPN to get a public IP.  However, I only want traffic to/from ports 8022, 8888, 8080, and 8443 on that machine to be routed through the VPN, and I want everything else to use my regular connection.  Is there an easy way to do this?

----------

## 1clue

You have two different kinds of http traffic.

You have traffic related to your web server and the static IP, and then you have all the browser traffic from your home. Your VPN endpoint will be accepting http traffic and forwarding it to you, probably on a non-routable ip address, or ipv6 maybe.

Full disclosure: I've never used the sort of service you're talking about. I've configured OpenVPN so my coworkers and I can get into the office, but you're doing something different.

In the former instance the requests are inbound and all going to your public IP, which is going to be translated into some sort of a 10.x.y.z probably. So you set up routes for that and pretty much everything else is taken care of. Make sure your web server box routes all vpn response traffic back through the vpn rather than direct.

----------

## Akaihiryuu

 *1clue wrote:*   

> You have two different kinds of http traffic.
> 
> You have traffic related to your web server and the static IP, and then you have all the browser traffic from your home. Your VPN endpoint will be accepting http traffic and forwarding it to you, probably on a non-routable ip address, or ipv6 maybe.
> 
> Full disclosure: I've never used the sort of service you're talking about. I've configured OpenVPN so my coworkers and I can get into the office, but you're doing something different.
> ...

 

Yeah that's more or less what I want to do.  All incoming traffic on those ports is going to come through tun0.  Obviously response traffic back out also needs to go over tun0.  But I want all other traffic originating on the machine or routing through it to go out through eth1...what do I need to do to do this?

----------

## chiefbag

 *Quote:*   

> . I'm using a VPN service with OpenVPN to get a public IP.

 

The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?

I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?

Most services of this nature only provide you with outbound traffic option.

----------

## 1clue

 *chiefbag wrote:*   

>  *Quote:*   . I'm using a VPN service with OpenVPN to get a public IP. 
> 
> The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?
> 
> I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?
> ...

 

While I'm definitely NOT a VPN expert, this doesn't make sense.

Web servers are really good at ganging up. Most publicly hosted web servers have lots of domain names all using the same IP address and the same port. The web server is really fast at switching the connection off to some private port.

The way I understand it, the VPN will add significant latency which will make the site seem more sluggish than if it were hosted on a public port right at the site, but it should without lots of ip addresses.

----------

## chiefbag

 *Quote:*   

> While I'm definitely NOT a VPN expert, this doesn't make sense. 

 

 *Quote:*   

> The way I understand it, the VPN will add significant latency which will make the site seem more sluggish than if it were hosted on a public port right at the site,

 

The second statement is true, however there may well be valid reasons why the person would want to make a home based server accessible via public ip address, for example they may want to access Internet of Things gadgets etc, ie turn the heating or kettle on.  :Rolling Eyes: 

----------

## 1clue

One possible solution would be to switch from tun to tap. At that point all traffic from the VPN hits your network, and you're responsible at your local vpn endpoint to handle firewall rules.

----------

## chiefbag

EDIT

 *Quote:*   

> One possible solution would be to switch from tun to tap. At that point all traffic from the VPN hits your network

 

That's still based on the assumption that the service the user is using actually routes traffic inbound from the ascribed public ip address.

----------

## chiefbag

Assuming the following case then try the below rule:

1: Your traffic is flowing inbound from the VPN service public ip to tun0 for port 8080

1: webserver is running on 10.10.10.10

```
iptables -t nat -I PREROUTING -i tun0 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j DNAT --to-destination 10.10.10.10
```

----------

## 1clue

I guess this is a little late, but most ISPs allow you to buy a public IP address to facilitate people accessing their home systems from work.

Or you could use dynamic dns?

----------

## chiefbag

 *Quote:*   

> I guess this is a little late, but most ISPs allow you to buy a public IP address to facilitate people accessing their home systems from work. 
> 
> Or you could use dynamic dns?

 

Some don't even give you a public ip address unless you are a business customer therefor dyndns etc. won't work  :Crying or Very sad: 

I'm in the same situation with my current internet provider, my workaround is that I have an external sever and an IPSec VPN from my home gateway server to the external server, the gateway is configured as a road warrior client.

I can then access from the external server to home.

Let's see if @Akaihiryuu will give us any further info/update?

----------

## curmudgeon

 *chiefbag wrote:*   

> The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?
> 
> I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?
> 
> Most services of this nature only provide you with outbound traffic option.

 

Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections?

----------

## chiefbag

 *Quote:*   

> Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections?

 

So you reckon every VPN provider ascribes an individual public ip to each client?

----------

## 1clue

 *chiefbag wrote:*   

>  *Quote:*   Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections? 
> 
> So you reckon every VPN provider ascribes an individual public ip to each client?

 

I'd be willing to bet that they have multiple clients per ip address. When you login to a corporate VPN it's one IP address and they have potentially thousands of clients. Think IBM.

This configuration is a bit different but I seriously doubt the VPN service has a separate ipv4 address per client. They might have ipv6 configured that way but this whole problem comes from the fact that ipv4 addresses are hard to come by now.

----------

## chiefbag

 *Quote:*   

> This configuration is a bit different but I seriously doubt the VPN service has a separate ipv4 address per client.

 

I totally agree.

----------

