How can I configure openvpn to proxy traffic only for processes that bind to the tun interface?
route-nopull
http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html
When used with --client or --pull, accept options pushed by server EXCEPT for routes. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.
So add route-nopull to your OpenVPN config file. I wrote a post on how to use an OpenVPN VPN with cURL/PHP.
You can achieve it by using a different routing table for packet coming from your tun0
interface.
# ip route add $VPN_NETWORK dev tun0
# ip route add default via $VPN_GATEWAY_IP table 1
# ip rule add iif tun0 table 1
The first route goes into the default table (table 254), the 2nd goes into table 2, the third line bind packets from the tun0
interface to the 2nd routing table, you can give this table a name in /etc/iproute2/rt_tables
:
# echo '1 vpn' >> /etc/iproute2/rt_tables
If your VPN Gateway is 10.8.0.1/16
, you will have to type:
# ip route add 10.8.0.0/16 dev tun0
# ip route add default via 10.8.0.1 table vpn
# ip rule add iif tun0 table vpn
This is called Policy Routing
and you must have CONFIG_IP_MULTIPLE_TABLE
enabled in your kernel configuration for this to work.