[kwlug-disc] SSH SOCKS proxy without SSH

L.D. Paniak ldpaniak at fourpisolutions.com
Wed Mar 28 17:27:15 EDT 2012 

You can get the OpenVPN server to modify clients' routing tables with
the route directive.  eg.

http://openvpn.net/index.php/open-source/documentation/howto.html#scope

This snippet in your tun server.conf:

push "route 67.69.196.75  255.255.255.255"
push "route 67.69.196.72  255.255.255.255"
client-config-dir ccd

and in ccd/VPNclient1:

iroute 67.69.196.75  255.255.255.255
iroute 67.69.196.72  255.255.255.255

should be enough to get www.cbc.ca (and only www.cbc.ca) routed through
your OpenVPN server for VPNclient1.

I doubt this works for names - you would need to resolve www.cbc.ca
before writing routing rules for it.  This is typical of iptables rules.
Periodically updating the resolution and restarting OpenVPN would take
care of that for non-static destinations.

Be sure to NAT traffic from tun* to your WAN so your OpenVPN server
knows what to do with this traffic.



On Wed, 2012-03-28 at 12:17 -0400, Paul Nijjar wrote:
> I thought it would be a nice change if I actually asked a question that was
> related to Linux on this list. 
> 
> SSH is capable of some magic tunnelling that I don't understand, as
> documented here: 
> 
> http://paulstamatiou.com/how-to-surf-securely-with-ssh-tunnel
> 
> The article uses the following magic command: 
> 
> ssh -D 8080 -f -C -q -N myuser at myserver.com
> 
> Now localhost:8080 will tunnel all traffic through to myserver.com . I
> then set up the SOCKS proxy fields in my web browser to enforce the
> tunnelling.
> 
> So, two questions: 
> 
> 0. What am I looking for if I want to do this without SSH? I am going
> to have clients OpenVPN into the network. I understand that I can
> force ALL traffic to go through the OpenVPN tunnel, but this is not
> actually what I want -- I just want certain traffic proxied.
> 
> 1. Is there a way to have some websites go through the proxy and some
> not? For example, I might want *.cbc.ca to go through the proxy, but
> everything else to be local. Again, it would be preferable if this was
> not via SSH. 
> 
> - Paul
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20120328/16ff3bb1/attachment.sig>

More information about the kwlug-disc mailing list