Policy Routing with NetPlan on TUN interfaces












0















I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun interface (not tap). The server sits in a public subnet, with an attached ENI in a private subnet.



All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.



We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0 interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:



ens5 - Public subnet



ens6 - Private Subnet



tun0 - OpenVPN interface



As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service



Another problem is that netplan doesn't seem to cater for tun (or tap for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.



So, does anyone have an idea of how to policy route traffic coming from a tun0 interface?



Any help is greatly appreciated!!!



P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!










share|improve this question























  • Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

    – slangasek
    Feb 6 at 19:00











  • Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

    – Taff
    Feb 7 at 12:39


















0















I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun interface (not tap). The server sits in a public subnet, with an attached ENI in a private subnet.



All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.



We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0 interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:



ens5 - Public subnet



ens6 - Private Subnet



tun0 - OpenVPN interface



As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service



Another problem is that netplan doesn't seem to cater for tun (or tap for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.



So, does anyone have an idea of how to policy route traffic coming from a tun0 interface?



Any help is greatly appreciated!!!



P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!










share|improve this question























  • Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

    – slangasek
    Feb 6 at 19:00











  • Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

    – Taff
    Feb 7 at 12:39
















0












0








0








I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun interface (not tap). The server sits in a public subnet, with an attached ENI in a private subnet.



All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.



We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0 interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:



ens5 - Public subnet



ens6 - Private Subnet



tun0 - OpenVPN interface



As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service



Another problem is that netplan doesn't seem to cater for tun (or tap for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.



So, does anyone have an idea of how to policy route traffic coming from a tun0 interface?



Any help is greatly appreciated!!!



P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!










share|improve this question














I am trying to set up an OpenVPN server on Ubuntu 18.04 in AWS in routed mode, using a tun interface (not tap). The server sits in a public subnet, with an attached ENI in a private subnet.



All is working well in terms of the OpenVPN set up as it is possible to connect and then to connect to resources on the AWS side of the tunnel.



We need to be able to route all internet bound traffic from vpn clients (coming in on the tun0 interface) out of the server's public interface and to our NAT gateway. This route needs to exclude the whole 10.0.0.0/8 as a destination, so we need to do some policy routing. Basically, all private traffic needs to route internally and everything else, via the NAT Gateway. The server has the following NICs:



ens5 - Public subnet



ens6 - Private Subnet



tun0 - OpenVPN interface



As I understand it, I need to be able to apply the routing to the tun0 interface, but the tun0 interfaces doesn't exist until I have started the openvpn service



Another problem is that netplan doesn't seem to cater for tun (or tap for that matter) interfaces natively and I can't seem to find any examples for what I am trying to do. Annoyingly, this page provides an example for a Layer2 VPN, but not a Layer3 (routed) VPN.



So, does anyone have an idea of how to policy route traffic coming from a tun0 interface?



Any help is greatly appreciated!!!



P.S. I get the impression NetPlan is a bit immature to be in a LTS release of Ubuntu!







18.04 routing netplan






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 6 at 16:19









TaffTaff

1




1













  • Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

    – slangasek
    Feb 6 at 19:00











  • Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

    – Taff
    Feb 7 at 12:39





















  • Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

    – slangasek
    Feb 6 at 19:00











  • Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

    – Taff
    Feb 7 at 12:39



















Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

– slangasek
Feb 6 at 19:00





Partially answered, but I'm unclear why you need policy routes at all. Excluding a network as a destination from the default route seems like a standard entry in a route table, not a policy route. Can you explain where you want traffic for 10.0.0.0/8 to be sent, and why this is different based on whether the originating traffic comes from the OpenVPN tunnel vs. elsewhere?

– slangasek
Feb 6 at 19:00













Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

– Taff
Feb 7 at 12:39







Adding any logic into routing makes it policy based. The main reason behind this is that in AWS there are so many different gateways for different types of traffic. So we have one gateway to route internal traffic to, one for VPN traffic and one for Internet based traffic. Quite why they do it this way, I do not know

– Taff
Feb 7 at 12:39












1 Answer
1






active

oldest

votes


















0














Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.






share|improve this answer
























  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116140%2fpolicy-routing-with-netplan-on-tun-interfaces%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.






share|improve this answer
























  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43


















0














Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.






share|improve this answer
























  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43
















0












0








0







Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.






share|improve this answer













Your tun interface in this case is managed by OpenVPN, not by netplan. You should manage any routes (including policy routes) for this interface through the OpenVPN configuration, and not try to mix management of it through both OpenVPN and netplan.



As of netplan 0.95, there is support for managing tunnel interfaces, but it is still not recommended to use netplan for an OpenVPN-managed interface.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 6 at 18:58









slangasekslangasek

2,57811419




2,57811419













  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43





















  • Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

    – Taff
    Feb 7 at 12:43



















Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

– Taff
Feb 7 at 12:43







Hi slangasek, Ok thanks for the response, and that seems reasonable. I suppose what I was looking for was a way of adding a policy route globally rather than by interface. Such functionality is definitely useful to have. Looking forward to using v1.0 of NetPlan!!!

– Taff
Feb 7 at 12:43




















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116140%2fpolicy-routing-with-netplan-on-tun-interfaces%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to make a Squid Proxy server?

Is this a new Fibonacci Identity?

19世紀