Policy Routing with NetPlan on TUN interfaces
I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun
interface (not tap
). The server sits in a public subnet, with an attached ENI in a private subnet.
All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.
We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0
interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:
ens5
- Public subnet
ens6
- Private Subnet
tun0
- OpenVPN interface
As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service
Another problem is that netplan doesn't seem to cater for tun
(or tap
for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.
So, does anyone have an idea of how to policy route traffic coming from a tun0
interface?
Any help is greatly appreciated!!!
P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!
18.04 routing netplan
add a comment |
I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun
interface (not tap
). The server sits in a public subnet, with an attached ENI in a private subnet.
All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.
We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0
interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:
ens5
- Public subnet
ens6
- Private Subnet
tun0
- OpenVPN interface
As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service
Another problem is that netplan doesn't seem to cater for tun
(or tap
for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.
So, does anyone have an idea of how to policy route traffic coming from a tun0
interface?
Any help is greatly appreciated!!!
P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!
18.04 routing netplan
Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?
– slangasek
Feb 6 at 19:00
Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know
– Taff
Feb 7 at 12:39
add a comment |
I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun
interface (not tap
). The server sits in a public subnet, with an attached ENI in a private subnet.
All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.
We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0
interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:
ens5
- Public subnet
ens6
- Private Subnet
tun0
- OpenVPN interface
As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service
Another problem is that netplan doesn't seem to cater for tun
(or tap
for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.
So, does anyone have an idea of how to policy route traffic coming from a tun0
interface?
Any help is greatly appreciated!!!
P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!
18.04 routing netplan
I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun
interface (not tap
). The server sits in a public subnet, with an attached ENI in a private subnet.
All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.
We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0
interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:
ens5
- Public subnet
ens6
- Private Subnet
tun0
- OpenVPN interface
As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service
Another problem is that netplan doesn't seem to cater for tun
(or tap
for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.
So, does anyone have an idea of how to policy route traffic coming from a tun0
interface?
Any help is greatly appreciated!!!
P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!
18.04 routing netplan
18.04 routing netplan
asked Feb 6 at 16:19
TaffTaff
1
1
Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?
– slangasek
Feb 6 at 19:00
Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know
– Taff
Feb 7 at 12:39
add a comment |
Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?
– slangasek
Feb 6 at 19:00
Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know
– Taff
Feb 7 at 12:39
Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?
– slangasek
Feb 6 at 19:00
Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?
– slangasek
Feb 6 at 19:00
Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know
– Taff
Feb 7 at 12:39
Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know
– Taff
Feb 7 at 12:39
add a comment |
1 Answer
1
active
oldest
votes
Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.
As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.
Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!
– Taff
Feb 7 at 12:43
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116140%2fpolicy-routing-with-netplan-on-tun-interfaces%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.
As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.
Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!
– Taff
Feb 7 at 12:43
add a comment |
Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.
As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.
Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!
– Taff
Feb 7 at 12:43
add a comment |
Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.
As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.
Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.
As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.
answered Feb 6 at 18:58
slangasekslangasek
2,57811419
2,57811419
Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!
– Taff
Feb 7 at 12:43
add a comment |
Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!
– Taff
Feb 7 at 12:43
Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!
– Taff
Feb 7 at 12:43
Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!
– Taff
Feb 7 at 12:43
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116140%2fpolicy-routing-with-netplan-on-tun-interfaces%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?
– slangasek
Feb 6 at 19:00
Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know
– Taff
Feb 7 at 12:39