[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] enforcing a route over VPN

Am 05.01.2014 21:55, schrieb Christian Boltz:
> Hello,
> Am Sonntag, 5. Januar 2014 schrieb Rainer Sokoll:
>> Am 2014-01-05 21:03, schrieb Christian Boltz:
>>> I have a VPN connection to my mail server, and would like to enforce
>>> that mails can be fetched only over the VPN connection.
>> What kind of VPN? IPSEC? PPTP (ouch)? OpenVPN?
>> For the latter, see redirect_gateway.
> openVPN. 
> redirect_gateway is useful to let the client set the default route if 
> needed (easier to handle than doing it on the server if you want it only 
> for some clients).
> However redirect_gateway only helps when the VPN connection is up.
> I'd like to have something that blocks the traffic to when the 
> VPN connection is _down_. 
> Call it a static route for to /dev/null ;-)

You can do exactly that:

susi:~ # ip r
default via dev air  proto static dev lo  scope link dev virbr0  proto kernel  scope link  src dev air  proto kernel  scope link  src  metric 9 

(that's my default, 200.0 my home lan, 122.0 my virtual machines NATed
to the outside)

susi:~ # ip r add blackhole 
susi:~ # ping
connect: Network is unreachable
susi:~ # ip r del
susi:~ # ping -c 3
PING ( 56(84) bytes of data.

--- ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms

susi:~ # 

(of course, I don't get any answers from :-))

Getting this into your VPN connect / disconnect script, I guess you are
able to do that :-)
Stefan Seyfried
"If your lighter runs out of fluid or flint and stops making
 fire, and you can't be bothered to figure out about lighter
 fluid or flint, that is not Zippo's fault." -- bkw
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx