Eduvpn connection only used for specific CIDR range(s)

eduvpn / python-eduvpn-client

Linux client for eduVPN

https://eduvpn.org/

GNU General Public License v3.0

39 stars 38 forks source link

Eduvpn connection only used for specific CIDR range(s) #571

Open pooh22 opened 8 months ago

pooh22 commented 8 months ago

Currently it seems I can only use eduvpn to pass all traffic from my client to the entire internet via eduvpn, but I would like to be able to work on the local network directly, but via VPN to a specific ip range.

It would be nice if I could configure an option in the eduvpn client (cli/gui) to setup a route on my client for 123.123.0.0/16 via eduvpn and keep using the network default route and local network connections for other ip ranges.

This way, when I'm working from home, I can keep using my local printer, file shares and octopi without disconnecting from eduvpn.

pooh22 commented 8 months ago

A workaround script that seems to do the trick:

#!/bin/bash
# find tunnel device. probably tun0
TUNDEV=$(ip route |grep default |grep tun |awk '{print $5}')
if [[ "$TUNDEV" == "" ]]; then 
    echo 'geen tunnel, niks te doen dus'
    exit 1
fi
# find gateway for tunnel device
TUNGW=$(ip route |grep default |grep $TUNDEV |awk '{print $3}')
# delete all routes that run via tunnel device
ip route |grep $TUNDEV  |grep -v scope | ( while read line; do sudo ip route del  $line;done )
# add route to network via tunnel device
sudo ip route add 123.123.0.0/16 via  $TUNGW dev $TUNDEV

I'd prefer to have this as an option in eduvpn, it saves an extra step in setting up the vpn

jwijenbergh commented 8 months ago

Right, you can try to script something together with NetworkManager dispatcher scripts so that this is automatically done when the VPN connection gets added/connected by the client: https://networkmanager.dev/docs/api/latest/NetworkManager-dispatcher.html

RightInTwo commented 3 weeks ago

I think it would be wonderful to have such an option. There are valid security concerns in this context, but I think they can be addressed by only allowing route overrides through the GUI if the given configuration allows it. Yes, there will still be workarounds for users that can configure network routes in their OS, but it provides a layer of safety for end-users and enables them to relief the university's or institute's vpn when watching youtube, netflix or other bandwith-heavy applications that are a very low security concern.

E.g.:

High security profile: All data must go through vpn
Medium security profile: A list of domains and CIDRs can be "direct"
Low security profile: An option similar to nm's "Use this connection only for resources on its network"