exclude services from VPN

So this might be kind of a niche thing but it has it’s reasons.
I have a VPN via dietpi-vpn but i only need it for some applications. is there a way to archive that?
Usecase:
I have a PC as dietpi so it runs quite a lot of different tasks. Some of these need to be in a VPN for easier connectivity and stuff but i also host services on the web for friends and when i am on the go. Giving my VPN user and PW to other people is what i want to avoid. So can i exclude services or ports from this VPN on Dietpi directly or is that something i need to configure elsewhere?

You would need to configure such thinks by your own. We don’t have a configuration options for doing this. I guess you need to create own iptable entries. Usually trendy could help on this.

Thanks a lot when trendy is online pls respond i have notifications on.
in case it helps, i need:
32400
9443
8181
80
443
19999
8123 to be available from the outside
VPN used is made by PIA

edit:
even better just vpn everything that comes in at port 20994 if that is any easier

Hi there, yeah it is possible and pretty easy. It was requested before.
Add a custom routing table, add the default gateway for this routing table via the isp router, and finally add a few rules with the source port of the services that you are running to use the custom routing table.

does it need to look like this?
Gateway is 192.168.2.1
port 20994
what about this '/etc/iproute2/rt_tables ’ is this the standard path?

echo '10 isp' >> /etc/iproute2/rt_tables 
ip route add to default via 192.168.2.1 table isp
ip rule add iif lo sport 20994 to default lookup isp prio 20994

will this vpn exklusively this port or take this port out of VPN service?
and if it takes it out of VPN can i just repeat :

ip rule add iif lo sport 20994 to default lookup isp prio 20994

with all ports i need to be available from the outside?

what about this '/etc/iproute2/rt_tables ’ is this the standard path?

Yes, as long as you have installed iproute2.

will this vpn exklusively this port or take this port out of VPN service?

It will use the 192.168.2.1 as gateway.

and if it takes it out of VPN can i just repeat :

Code: Select all

ip rule add iif lo sport 20994 to default lookup isp prio 20994

with all ports i need to be available from the outside?

Yes.

i just did that as follows:

echo '10 isp' >> /etc/iproute2/rt_tables 
ip route add to default via 192.168.2.1 table isp
ip rule add iif lo sport 9443 to default lookup isp prio 9443
ip rule add iif lo sport 32400 to default lookup isp prio 32400
ip rule add iif lo sport 19999 to default lookup isp prio 19999
ip rule add iif lo sport 8181 to default lookup isp prio 8181
ip rule add iif lo sport 443 to default lookup isp prio 443
ip rule add iif lo sport 80 to default lookup isp prio 80
ip rule add iif lo sport 8080 to default lookup isp prio 8080

now there are some more problems. It still can’t be reached from the outside.
and that was only half bad because now i can’t reach 32400, 443 and 8080 from the inside which kind of sucks because some things in there need to be changed to get my network running again which i turned off for testing. Do you see some mistakes in there or know a command to drop the changes made to this until now?
in addition unbound won’t start which could be part of the problem

unbound might be unrelated. You could share service log, so we could have a look.

well about that… Everything became unresponsive. SSH and everything else stopped. errors at some services showed up and i had this whole thing deleted. My whole network was affacted by this so this was the only option. due to unresponsiveness a backup was not possible and i didn’t have any from before. That was that. Really sad i try to set up everthing again. If trendy could look at the code above and verify that every port mentioned in the last line will be excluded from VPN and the code is right i will try again when i have everything set up and backed up again

A couple of things. Don’t use the port number for priority as you might go beyond the rule which looks up main routing table. Keep them in the middle around 15000
Second, to be reachable from the lan, add ip route add 192.168.2.0/24 table isp dev eth0 change eth0 with the interface name.
Try one service at a time before you deploy all servers, especially sshd since that will won’t let you access the device.
After you fix these install tcpdump and run a packet capture to verify that packets come and go properly.
ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c; tcpdump -i eth0 -vn port 80
Again at the tcpdump command change if necessary the interface name and the port that you are testing.

trendy
I hope i got it now. I will summarize what I think has to be done:

This is the command I enter:

echo '10 isp' >> /etc/iproute2/rt_tables 
ip route add to default via 192.168.2.1 table isp
ip route add 192.168.2.0/24 table isp dev eth0
ip rule add iif lo sport 9443 to default lookup isp prio 15000

and for each other Port I will just change the port number at the last line like follows:

THE OTHER LINES GO HERE
ip rule add iif lo sport [PORT_NR] to default lookup isp prio 15000

In between every Port i do this with I test the connection using tcpdump
Code for this is this scheme:

ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c; tcpdump -i eth0 -vn port [PORT_NR]

My dietpi shows my adapter as eth0 so i should be good to go with this right?

Thanks btw for taking time to do this. It is a first for me with this kind of networking stuff

ip rule add iif lo sport [PORT_NR] to default lookup isp prio 15000

I’d recommend to change the prio number. Other than that looks good.

So for everyone having the same problem and landing here, I did it but in a different way. The above steps did not work for me. It is simpler to do in docker if your environment and machine is capable of it. I have a container housing all the VPN stuff i need and route every port i need from other containers through this one. Actually a lot of countainers come with a VPN version if you are willing to sacrafice the latest and greatest edition.