So I tried to setup a split tunnel on my server (my server is the vpn-client). Where a vpn-user would only be able to access the internet with the VPN interface (tun0).
I've followed and tried to "translate" a ubuntu guide to CentOS 8. The guide I have been following is Force Torrent which has been inspired by Force Torrent Traffic through VPN Split Tunnel Debian 8 + Ubuntu 16.04 and then I applied the updates I found in Split Tunnel Guide for Ubuntu 18.04.
This resulted in the following files:
Code/Scripts: (Results below)
/etc/systemd/system/openvpn@openvpn.service:
Documentation=man:openvpn(8)Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPageDocumentation=https://community.openvpn.net/openvpn/wiki/HOWTOAfter=network.target[Service]RuntimeDirectory=openvpnPrivateTmp=trueKillMode=mixedType=forkingExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pidPIDFile=/run/openvpn/%i.pidExecReload=/bin/kill -HUP $MAINPIDWorkingDirectory=/etc/openvpnRestart=on-failureRestartSec=3ProtectSystem=yesLimitNPROC=10DeviceAllow=/dev/null rwDeviceAllow=/dev/net/tun rw[Install]WantedBy=multi-user.target/etc/openvpn/openvpn.conf:
clientsetenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bindev tunproto udpremote pool-1.prd.se.ovpn.com 1194remote pool-1.prd.se.ovpn.com 1195remote pool-2.prd.se.ovpn.com 1194remote pool-2.prd.se.ovpn.com 1195remote pool-3.prd.se.ovpn.com 1194remote pool-3.prd.se.ovpn.com 1195remote pool-4.prd.se.ovpn.com 1194remote pool-4.prd.se.ovpn.com 1195remote-randomresolv-retry infinitenobindpersist-keypersist-tuncipher aes-256-cbcauth-user-pass /etc/openvpn/credentialsauth-nocachecomp-lzoroute-noexecremote-cert-tls serverpullreneg-sec 0verb 3mute-replay-warningsreplay-window 256ca /etc/openvpn/ovpn-ca.crttls-auth /etc/openvpn/ovpn-tls.key 1log /tmp/openvpn.logscript-security 2up /etc/openvpn/firewllad.shup-restartdown /etc/openvpn/scripts/update-systemd-resolveddown-predhcp-option DOMAIN-ROUTE ./etc/openvpn/firewalld.sh:
#! /bin/bashexport INTERFACE="tun0"export VPNUSER="vpn"export LOCALIP="192.168.1.10"export NETIF="enp1s0"# Flush alll rulesfirewall-cmd --direct --remove-rules ipv4 mangle OUTPUTfirewall-cmd --direct --remove-rules ipv4 mangle INPUTfirewall-cmd --direct --remove-rules ipv4 filter INPUTfirewall-cmd --direct --remove-rules ipv4 filter OUTPUTfirewall-cmd --direct --remove-rules ipv4 nat POSTROUTING#firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! -o lo -m owner --uid-owner vpn -j DROP# Mark packets from $VPNUSERfirewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --restore-markfirewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1# Added local open ports (since I do not use these services I have not opened these ports)#firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --src $LOCALIP -p tcp -m tcp -m multiport --sports 6800,7777 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x0# Continue markingfirewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --src $LOCALIP -j MARK --set-mark 0x1firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --save-mark# Allow responsesfirewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT# Block everything incoming on $INTERFACE to prevent accdiental exposing of portsfirewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -j REJECT# Let $VPNUSER access lo and $INTERFACEfirewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -m owner --uid-owner $VPNUSER -j ACCEPTfirewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT# All packets on $INTERFACE needs to be masqueradedfirewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o $INTERFACE -j MASQUERADE# Reject connection from predator IP going over $NETIFfirewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! --src $LOCALIP -o $NETIF -j REJECT#ADD YOUR OWN RULES HERE# Start routing script/etc/openvpn/routing.shexit 0/etc/openvpn/routing.sh:
#! /bin/bashVPNIF="tun0"VPNUSER="vpn"GATEWAYIP=$(ip address show $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)if [[ `ip rule list | grep -c 0x1` == 0 ]]; thenip rule add from all fwmark 0x1 lookup $VPNUSERfiip route replace default via $GATEWAYIP table $VPNUSERip route append default via 127.0.0.1 dev lo table $VPNUSERip route flush cache# run update-resolv-conf script to set VPN DNS/etc/openvpn/scripts/update-systemd-resolvedexit 0/etc/iproute2/rt_tables:
## reserved values#255 local254 main253 default0 unspec## local##1 inr.ruhep200 vpn/etc/sysctl.d/9999-vpn.conf:
net.ipv4.conf.all.rp_filter = 2net.ipv4.conf.default.rp_filter = 2net.ipv4.conf.enp1s0.rp_filter = 2Results:
Using the command to check for DNS: systemd-resolve --status
Link 9 (tun0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 LLMNR setting: yesMulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: allow-downgrade DNSSEC supported: yes Current DNS Server: 192.165.9.158 DNS Servers: 192.165.9.158 46.227.67.134 DNS Domain: ~.Checking VPN public IP with: sudo -u vpn -i -- curl ipinfo.io gave me: curl: (6) Could not resolve host: ipinfo.io. While sudo curl ipinfo.io --interface tun0 works fine. I also get issues when ping www.google.se as the vpn-user, but if I instead use the IP of that domain, it works fine.