Policy Routing with NetPlan on TUN interfaces












0















I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun interface (not tap). The server sits in a public subnet, with an attached ENI in a private subnet.



All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.



We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0 interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:



ens5 - Public subnet



ens6 - Private Subnet



tun0 - OpenVPN interface



As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service



Another problem is that netplan doesn't seem to cater for tun (or tap for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.



So, does anyone have an idea of how to policy route traffic coming from a tun0 interface?



Any help is greatly appreciated!!!



P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!






18.04 routing netplan







share|improve this question























  • Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

    – slangasek
    Feb 6 at 19:00











  • Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

    – Taff
    Feb 7 at 12:39


















0















I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun interface (not tap). The server sits in a public subnet, with an attached ENI in a private subnet.



All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.



We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0 interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:



ens5 - Public subnet



ens6 - Private Subnet



tun0 - OpenVPN interface



As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service



Another problem is that netplan doesn't seem to cater for tun (or tap for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.



So, does anyone have an idea of how to policy route traffic coming from a tun0 interface?



Any help is greatly appreciated!!!



P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!






18.04 routing netplan







share|improve this question























  • Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

    – slangasek
    Feb 6 at 19:00











  • Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

    – Taff
    Feb 7 at 12:39
















0












0








0








I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun interface (not tap). The server sits in a public subnet, with an attached ENI in a private subnet.



All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.



We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0 interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:



ens5 - Public subnet



ens6 - Private Subnet



tun0 - OpenVPN interface



As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service



Another problem is that netplan doesn't seem to cater for tun (or tap for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.



So, does anyone have an idea of how to policy route traffic coming from a tun0 interface?



Any help is greatly appreciated!!!



P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!






18.04 routing netplan







share|improve this question














I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun interface (not tap). The server sits in a public subnet, with an attached ENI in a private subnet.



All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.



We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0 interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:



ens5 - Public subnet



ens6 - Private Subnet



tun0 - OpenVPN interface



As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service



Another problem is that netplan doesn't seem to cater for tun (or tap for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.



So, does anyone have an idea of how to policy route traffic coming from a tun0 interface?



Any help is greatly appreciated!!!



P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!






18.04 routing netplan




18.04 routing netplan






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 6 at 16:19









TaffTaff

1




1













  • Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

    – slangasek
    Feb 6 at 19:00











  • Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

    – Taff
    Feb 7 at 12:39





















  • Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

    – slangasek
    Feb 6 at 19:00











  • Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

    – Taff
    Feb 7 at 12:39



















Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

– slangasek
Feb 6 at 19:00





Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

– slangasek
Feb 6 at 19:00













Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

– Taff
Feb 7 at 12:39







Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

– Taff
Feb 7 at 12:39












1 Answer
1






active

oldest

votes


















0














Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.






share|improve this answer
























  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116140%2fpolicy-routing-with-netplan-on-tun-interfaces%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.






share|improve this answer
























  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43


















0














Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.






share|improve this answer
























  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43
















0












0








0







Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.






share|improve this answer













Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 6 at 18:58









slangasekslangasek

2,57811419




2,57811419













  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43





















  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43



















Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

– Taff
Feb 7 at 12:43







Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

– Taff
Feb 7 at 12:43




















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116140%2fpolicy-routing-with-netplan-on-tun-interfaces%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

Image
0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
Read more

is 'sed' thread safe

Image
2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
Read more

How to make a Squid Proxy server?

Image
1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
Read more