{"id":273,"date":"2012-07-23T10:00:16","date_gmt":"2012-07-23T15:00:16","guid":{"rendered":"https:\/\/www.foell.org\/justin\/?p=273"},"modified":"2019-10-21T11:52:48","modified_gmt":"2019-10-21T16:52:48","slug":"rerouting-vpn-traffic-with-dnsmasq","status":"publish","type":"post","link":"https:\/\/www.foell.org\/justin\/rerouting-vpn-traffic-with-dnsmasq\/","title":{"rendered":"(Re)routing VPN traffic with Dnsmasq"},"content":{"rendered":"

This is part three of a three part series covering Dnsmasq’s uses regarding:<\/p>\n

    \n
  1. Local Development DNS<\/a><\/li>\n
  2. Local Area Network (LAN) DNS<\/a><\/li>\n
  3. Virtual Private Network (VPN) routing<\/li>\n<\/ol>\n

    IT savvy business often use a Virtual Private Network (VPN)<\/a> connection to allow employees to connect to the (normally internal) work network while they’re traveling or working from home.\u00a0 Many VPNs (once connected) act at the default gateway for your computer.\u00a0 This is effectively like unplugging your computer from your local network\u00a0 and plugging it in at your workplace.\u00a0 This is probably for security reasons, and it’s certainly a simple configuration for most, as your computer is truly now on a remote network as if you were at your desk at work.\u00a0 But for some, this is becomes a restriction, and we’ll examine some cases and a workaround.<\/p>\n

    <\/p>\n

    Let’s say I’m connected to the VPN.\u00a0 All of my internet traffic goes through the VPN which is a thousand miles away.\u00a0 If I’m streaming a local radio station, that’s a long way to go out-and-back for something that is truly local.\u00a0 In addition, all of my local network resources are less usable because the VPN has instructed my computer to use the VPN’s DNS servers, so I can now only access them by IP.<\/p>\n

    It is possible to be connected to the VPN and still have access to local resources, and route (non-VPN) traffic though your normal gateway.\u00a0 Your VPN administrator might say this is poses a security risk, but s\/he’ll be none the wiser if you don’t let on.<\/p>\n

    This configuration is for Dnsmasq and NetworkManager, which is used by Ubuntu & Fedora.\u00a0 But there’s no reason the concepts here can’t be applied to other Linux distributions and\/or OSX.<\/p>\n

    VPN Gateway<\/h2>\n

    Connect to your VPN per normal using NetworkManager.\u00a0 Once you’re connected you can probably deduce the default gateway by looking at output from running a traceroute<\/code> to a known computer on the VPN (such as the nameserver – see below).<\/p>\n

    $ traceroute 10.20.0.26\r\ntraceroute to 10.20.0.26 (10.20.0.26), 30 hops max, 60 byte packets\r\n\u00a01\u00a0 * * *\r\n\u00a02\u00a0 10.20.44.253 (10.20.44.253)\u00a0 101.294 ms\u00a0 101.715 ms\u00a0 102.610 ms\r\n\u00a03\u00a0 10.20.0.26 (10.20.0.26)\u00a0 100.205 ms\u00a0 101.022 ms\u00a0 101.486 ms<\/pre>\n
    The first IP is likely the VPN’s default gateway, 10.20.44.253 in this case.<\/p>\n
    VPN Name Servers<\/h2>\n
    You’ll also want to grab the name servers for your VPN.\u00a0 You can probably just inspect your \/etc\/resolv.conf<\/code> file for this information:<\/p>\n
    $ cat \/etc\/resolv.conf\r\n...\r\nnameserver 10.20.0.26<\/pre>\n
    Add new VPN connection<\/h2>\n
    With this information at hand, disconnect from the VPN and create a new VPN connection in NetworkManager that is essentially the same as the existing one.\u00a0 Name the new connection something that indicates it’s custom (we’ll use this name later).\u00a0 In NetworkManager on the IPv4 Settings<\/em> tab, set the Method<\/em> to Automatic (VPN) addresses only<\/em>:<\/p>\n
    \"\"<\/a><\/p>\n
    Then click the Routes…<\/em> button.\u00a0 In the Routes<\/em> dialog you’ll want to put in the network information for your work, using the information you deduced using traceroute<\/code>.\u00a0 My VPN addresses are all 10.x.x.x, and the VPN gateway is 10.20.44.253.\u00a0 So I added a line to the route table like this:<\/p>\n
    \"\"<\/a><\/p>\n
    You can find the network address and netmask from the Private Network table on Wikipedia<\/a>. The metric number should be fine at 10. Check the boxes to ignore obtained routes and to only use this network for resources contained within.<\/p>\n
    That gets you essentially halfway there, you can connect to the VPN and only requests for resources with network addresses that are part of the VPN will be routed through the VPN connection, everything else will gateway through your normal ISP. You can (and probably should) test this configuration by connecting to the VPN and ping<\/code>-ing or traceroute<\/code>-ing to a computer on the VPN (such as the nameserver) just to make sure the custom routing established is indeed working.\u00a0 Once routing is working, we need to fix the DNS as it’s kind of useless without it.<\/p>\n
    Create a NetworkManager dispatcher.d script to start Dnsmasq<\/h2>\n
    In \/etc\/NetworkManager\/dispatcher.d<\/code> add a file called 05vpn<\/code>:<\/p>\n
    #!\/bin\/sh\r\n\r\nif [ \"$2\" = \"vpn-up\" ]; then\r\n        CONN_NAME=`\/usr\/bin\/nm-tool | grep VPN | sed 's\/^.*\\[\\(.*\\)\\].*$\/\\1\/'`\r\n        if [ \"$CONN_NAME\" = \"VPN Custom\" ]; then\r\n                \/etc\/init.d\/dnsmasq start\r\n        fi\r\nfi\r\n\r\nif [  \"$2\" = \"vpn-down\" ]; then\r\n        \/etc\/init.d\/dnsmasq stop\r\nfi<\/pre>\n
    Set the comparison to $CONN_NAME to the name of your new VPN connection. After saving the file, set it to be executable:<\/p>\n
    $ sudo chmod 755 \/etc\/NetworkManager\/dispatcher.d\/05vpn<\/pre>\n
    The \/etc\/NetworkManager\/dispatcher.d<\/code> files are executed whenever a network interface goes up or down. The 05vpn<\/code> file will start\/stop Dnsmasq when the “custom” VPN connection is turned on\/off.<\/p>\n
    Configure Dnsmasq for your VPN<\/h2>\n
    Configuring Dnsmasq for your VPN really boils down to adding server<\/em> entries for every domain that either resides on the VPN, or that you want to route through the VPN. Add a file in \/etc\/dnsmasq.d<\/code> for your VPN DNS settings, such as \/etc\/dnsmasq.d\/02_vpn<\/code><\/p>\n
    If your work has it’s own Top Level Domain (TLD)<\/a>, add a server line with the VPN DNS server IP and the TLD:<\/p>\n
    server=\/tld\/10.20.0.26<\/pre>\n
    Similarly, if there are certain domains (like your company’s domain name) that act differently when you’re on the VPN, you’ll want to have them route through the VPN:<\/p>\n
    server=\/mywork.com\/10.20.0.26<\/pre>\n
    That’s all there is to it. I’ve noticed some (newer) versions of NetworkManager automagically employ Dnsmasq to let you use any LAN resources, but other traffic (such as streaming music) would still go through the VPN.<\/p>\n
    Happy Hacking!<\/p>\n
    Send to Kindle<\/span><\/div>","protected":false},"excerpt":{"rendered":"
    This is part three of a three part series covering Dnsmasq’s uses regarding: Local Development DNS Local Area Network (LAN) DNS Virtual Private Network (VPN) routing IT savvy business often use a Virtual Private Network (VPN) connection to allow employees to connect to the (normally internal) work network while they’re traveling or working from home.\u00a0… Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1,17,8],"tags":[23,166,25],"class_list":["post-273","post","type-post","status-publish","format-standard","hentry","category-business","category-dns","category-ubuntu","tag-dnsmasq","tag-linux","tag-networkmanager"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/posts\/273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/comments?post=273"}],"version-history":[{"count":11,"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/posts\/273\/revisions"}],"predecessor-version":[{"id":3585,"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/posts\/273\/revisions\/3585"}],"wp:attachment":[{"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/media?parent=273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/categories?post=273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.foell.org\/justin\/wp-json\/wp\/v2\/tags?post=273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}