Split Tunneling

[keoma]

While I am familiar with the concept of encryption and having spent a lot of time securing my electronic communications, some technicalities still escape me so forgive me for posting a seemingly ridiculous question.

Is there any way to have to split my data into two streams, one encrypted and one un-encrypted? I am running some applications on my computer that generate quite a bit of traffic but as the data is not sensitive, I wouldn't mind to keep it unencrypted while I would want everything else, e. g. browser traffic, to be encrypted. That way, I could reduce the load on the CS server a fair bit.

[parityboy]

@OP

Typically in a corporate "road warrior" situation, the default route is the local Internet router and the corporate network has explicit route(s) set to go over the VPN. In the case of a VPN provider like CS, the default route goes over the VPN. If you know the destination IPs or IP ranges for your non-sensitive applications you could set them up as explicit routes to go over your normal network interface. What are these applications, just out of interest?

[keoma]

Thanks a bunch! I trade currencies for a living and the broker software, charting applications and news feeds do generate traffic that doesn’t need to be encrypted. I do have the IP addresses of the non-sensitive applications so how do I set them up as explicit routes to go over my normal network interface? I’m presume this has been done before so where would I start looking for instructions?

[Tealc]

Hi there. So this is actually a very good topic, since I've being searching for this "Split tunneling" thing for some time now.
Let me tell you what I've did.

I have a WDR3600 with "OpenWrt Attitude Adjustment 12.09" and since this router does 2 different wifi networks and frequencies I touth I make wlan1 for example go to the VPN and wlan0 go directly to my cable provider. With this if I wanted to connect to the VPN I've just change wifi network, it's that easy, at least in theory LOL

I did accomplish to get the openvpn client to connect to CS and after some iptables configuration everything connected fine and all computers connected to the router were also connected to CS.
The next logical step was to make the split tunneling, like this:

- all eth0 to eth5 ports are to connect directly to wan0
- wlan0 is to connect directly to wan0
- wlan1 to to connect directly to tun0 to access CS
- all communication coming from tun0 are to go to wlan1
- tun0 is connected to wan0

After consulting several sites all over the "dark net" and some tor files about networking, I've found that it all depends with the configuration of iptables, and that was when the "shit hit the vents", I couldn't get it working and I actually had to reset my router several times

So with all of this, does anyone has several pointers on getting this to work?
Or better, is there a IPtables guru here in the forum?

[tlsbreak]

Let's say you wanted to set up your dd-wrt to connect to only 1 ip address/subnet or CIDR or whatever. What would that iptable rule look like?

It seems to me you need a rule like that for each non-vpn connection.

[parityboy]

@keoma

Which platform is this for: Linux, OS X or Windows?

[Tealc]

....
It seems to me you need a rule like that for each non-vpn connection.

Actually that's not true, since you can make the iptables rule for the specific interface (wan, wlan, eth, br-lan, tun, tap) and them assign the non vpn connection to one of them, in theory I know that works, since a former college of mine did that exact same thing for our VPN work office in is home.

He no longer works there and I've lost all contact with him, I have to say that he though me a lot of what I know now.

@keoma

Which platform is this for: Linux, OS X or Windows?

Yeah, he actually didn't say, nevertheless the easiest way to go is with dd-wrt or openwrt since they are linux based with several interfaces attached and already programmed, I believed that with any Linux distro with IPtables we can create several Virtual Lan's and them put my theory working.

So IPTABLES GURU anyone?

[keoma]

@keoma

Which platform is this for: Linux, OS X or Windows?

Right, I should have mentioned it: Am running on WIN 8 64 bit

[tlsbreak]

....
It seems to me you need a rule like that for each non-vpn connection.

Actually that's not true, since you can make the iptables rule for the specific interface (wan, wlan, eth, br-lan, tun, tap) and them assign the non vpn connection to one of them, in theory I know that works, since a former college of mine did that exact same thing for our VPN work office in is home.

So you connect to dd-wrt and your iptables tell it to send this packet to wan, this one to tun? I'm trying to visualize how the iptable rules would look. I use pfSense and have similar needs as the OP. I set up a rule to pass traffic going to a non-vpn ip address through the gateway I want. I have to create a rule for each address though (at least I think I do ).

I've been told that dd-wrt is more secure than pfSense, so I'd kind of like to switch, but this iptable stuff makes my head explode.

Am running on WIN 8 64 bit

I didn't think this was possible on Windows?

I'll stop cluttering the thread now, sorry. I'm not really helping.

[keoma]

....

Am running on WIN 8 64 bit

I didn't think this was possible on Windows?

I presume it is. PureVPN offers this as a feature, although I am unable to tell whether and how much this compromises security or whether this features works as advertised. They say this on their website:

"When it comes to offering rare and valuable features, nobody comes even close to PureVPN. Case in point: The Split-Tunneling feature. Every PureVPN account comes loaded with all possible options and features, including split-tunneling. Just open the VPN dialer on your device (and there are customized dialers for all devices) and access the built-in split-tunneling feature. Our split-tunneling feature easily allows you to ‘Split’ your data traffic and choose which traffic stream to ‘Tunnel’ while not tunneling the other. This way, you can conduct important activities with VPN protection while simultaneously enjoy unsecured but fast internet speed for unimportant tasks, like streaming. The best of both worlds, right?"

[Tealc]

So you connect to dd-wrt and your iptables tell it to send this packet to wan, this one to tun? I'm trying to visualize how the iptable rules would look. I use pfSense and have similar needs as the OP. I set up a rule to pass traffic going to a non-vpn ip address through the gateway I want. I have to create a rule for each address though (at least I think I do ).

I've been told that dd-wrt is more secure than pfSense, so I'd kind of like to switch, but this iptable stuff makes my head explode.

So I must of not explained to you very well, I'm running OpenWrt router that as a linux based system with a lot a normal linux apps and everything, and that includes iptables.
So in OpenWrt, Iptables comes installed from the start and normally if you don't want to do a lot a changes in a normal user connectivity it's a lot automatic configuration and you don't have to touch a thing. But since I'm running in a very special building network I actually need a lot a tweaking to getting this to work.

You do have to create a specific rule for a specific address if your running several in the same hardware port of your router, for example imagine that I have a network switch connected to port 1 of my router (eth0) and with that switch I connect 2 devices (dev1, dev2) both devices have, as normally should, different IP's address but the router port is the same, in that way you have to create a specific rule for each of the ipaddress and not a normal rule to forward something from eth0 to wan0 for example.

Look here:
HTTP Server - IPv4-TCP - From any host in wan - Via any router IP at port 80 - IP 192.168.1.3, port 80 in lan

This mean that any ip that comes out of wan at port 80 is to be directed to the lan network ip 192.168.1.3 port 80, this is a specific rule to a specific port and ipaddress destination inside the lan, but imagine that you have only ONE IP running in eth0, that way you could direct any ip that comes out of port 80 from wan to eth0

When I'm not in the mood to do the iptables manually I just go on one of this sites:
http://easyfwgen.morizot.net/gen/index.php
http://www.perturb.org/content/iptables-rules.html

[Tealc]

SUCCESS!!

So.... this all thing got me searching and searching and I've found it....

https://blog.ipredator.se/howto/openwrt ... enwrt.html

This blog from another VPN provider did the trick... I had to change of lot of the parameters but everything worked out ok.

I'm now running all my hardwired computers (eth0, eth1, eth2, eth3, eth4) in Germany with CS. With this initial configuration from the other VPN provider with makes all devices connected with wlan0 and wlan1 to access the internet directly with my ISP's and all the hardwired with CS.

Here is the "Split Tunneling" that we wanted so much!!!

Next step:

1) Remove eth0/eth4 form the CS connection
2) Remove wlan1 from directly connecting to my ISP's
3) Adding only wlan0 to connected to CS
4) Check the dns leak test, since with the wired computers are given my ISP's DNS, but it shouldn't since my main wan device as 5 CS dns servers included and not the ISP's ones
5) Check this load average problem: Load Average 2.06, 1.10, 2.13 (normally in heavy duty connections like 20 torrents downloading and 10 uploading it doesn't go more them: Load Average 0.35, 0.20, 0.65)
6) Check: When connecting drops I can't access internet (and that's actually what we want) but the connecting doesn't go back online)
7) No internet connection when using wlan1, no changes made so for with the initial configuration
8) Make a tutorial of all the necessary changes and put it here for all the community
9) In a near future make a image with the necessary changes for the WDR3600 with OpenWrt

I really have to thank you guys that keept this topic alive, with that I got to do something that I've been wanting for some time now

[keoma]

@tealc

Thanks Mate. Sounds very technical indeed and since I am not that technically inclined, it will take me quite a while to figure out what exactly you are doing. Nevertheless, I may give it a try.

[tlsbreak]

So I must of not explained to you very well, I'm running OpenWrt router that as a linux based system with a lot a normal linux apps and everything, and that includes iptables.
..........
http://easyfwgen.morizot.net/gen/index.php
http://www.perturb.org/content/iptables-rules.html

I knew you were using openwrt but had dd-wrt in my mind. Thanks for the explanation and links they look great.

I presume it is. PureVPN offers this as a feature, although I am unable to tell whether and how much this compromises security or whether this features works as advertised. They say this on their website:

"When it comes to offering rare and valuable features, nobody comes even close to PureVPN. Case in point: The Split-Tunneling feature. Every PureVPN account comes loaded with all possible options and features, including split-tunneling. Just open the VPN dialer on your device (and there are customized dialers for all devices) and access the built-in split-tunneling feature

If it can be done in the dialer then you should be able to do it in the Openvpn config.
I stumbled across this.
https://forums.openvpn.net/topic8229.html

I haven't tried it myself and not sure how it works in Win8 (Win8, ewwww ). Maybe it will give some ideas.

[keoma]

Is there any chance that split tunnelling could be incorporated in the widget v. 1.10 with a simple option to specify 3 or 5 IP addresses that will bypass the VPN while all other traffic goes through the VPN? Judging by the above replies, it is technically possible and it would surely benefit everyone - users see a great improvement in performance while the CS servers will have a greatly reduced server load.

[cryptostorm_support]

I'll talk to our devs about that, but I would have to wager that's a fairly non-trivial feature to implement to ensure security doesn't needlessly get compromised. I would expect that would be something for a major release, but I will defer to their boundless wisdom

[parityboy]

@thread

Split tunnelling in the widget will likely involve talking to the Windows firewall API (assuming such a thing exists) to set the relevant policies, while not meddling with any which are already set.

[marzametal]

I don't see why it would benefit everyone, I have no use or purpose or inclination to allow an IP to bypass CS. I use Windows 7 Firewall with Advanced Security to block svchost.exe (provides inactive internet till widget kicks in)... hence I would suggest a spinoff widget to handle this split tunnelling stuff. I think this is a "security vs convenience" issue. I consider this a flaw, not a feature (just my opinion).

"Heyyy... install this widget so you can access the internet anonymously, don't know who you are, kickass encryption etc... But we got this cool feature implemented that allows the world to see what you are up to".

Just because some things you do on the internet are not sensitive, doesn't mean that the product supplied by the VPN provider should allow for it... If this is catered to, then you mightaswell cater for torrent ports as well, or anything else that the honeypot companies provide... I think it goes against the mission statement if it is implemented in the widget (again, just my opinion).

If the user wants it, then the user should set it up on his/her own, keep it away from product injection/feature-warez...

[Tealc]

I have to agree with @marzametal and @parityboy this is a potential security risk.

Nevertheless I do assume that this split tunneling thing for me is top notch, I have a seedbox running that I don't want to go into CS (I'm in the very limited country's that allow P2P), also everything Facebook, Twitter, local country TV, Internet Radio I really want to go with my normal provider, but with my OpenNIC's DNS servers (besides it's a little complicated to tell my wife that she isn't in Iceland or Germany when she post's to Facebook, and that did happen ).

Them there's all the "other things" that, are restricted to my activity both personal and professional, I do want to be "invisible" and don't want some "sniffer" robot in my IP
I don't have Facebook, I don't use GAPP's, I do own a Android Phone but no Play Store (FDroid is a must!), just recently did I opened a Twitter account (for the sole propose of talking to CS LOL), I do not use Windows or iOS devices (Ubuntu all the way).

So it's a little complicated to explain but I do like this Split Tunneling thing but maybe in this kind of way like I did, with a dual band router and them 1 one wifi goes to home and the other goes to the world (we should use the AP Isolate mode, this way there is no communicating between wifi's or devices in the same wifi), this way you always know what to use and where you want to use it. Yeah I can easily install OpenVPN in all my devices and just run CS from there but i'm a practical guy that sometimes forgets simple things

Hope this makes some sense, LOL

I'm not in the mood for writing today, it was a bad day at work.

[keoma]

@marzametal

I don’t get your point – if you don’t trust a particular IP address or website, then you could just not bypass CS, or not? You may agree that it is every user’s own choice and responsibility how much “security over convenience” he wants. I am not surfing porn sites or am connecting to torrent networks but am generating a lot of traffic with servers that are surely not set up as honeypots.

Anyway, I didn’t intend to make this a major issue and I’ll surely find a work-around on my own so I rest my case.

[parityboy]

@thread

Split tunnelling is indeed useful. I use it in my VM: torrents and other communications go over the VPN, my NZB client uses SSL over the clearnet. My Usenet setup currently means there's no advantage to using it through a VPN (this will change soon though), therefore the additional CPU load from the dual encryption isn't worth it.

However, setting up routes and firewalls on Linux is easy. Windows I'm not so sure about.

[Tealc]

@thread

Split tunnelling is indeed useful. I use it in my VM: torrents and other communications go over the VPN, my NZB client uses SSL over the clearnet. My Usenet setup currently means there's no advantage to using it through a VPN (this will change soon though), therefore the additional CPU load from the dual encryption isn't worth it.

However, setting up routes and firewalls on Linux is easy. Windows I'm not so sure about.

May I assume that you really know how to make good IPtables rules? If so, can I give you my network architecture and ask a little help setting some things up?

[parityboy]

@Tealc

Sure, why not?

[df]

Old thread, but I didn't see any actual commands here, so I thought I'd add some

In this network setup, 192.168.1.1 is the gateway IP for your LAN.
As an IP to exclude from the VPN, I'll use http://ifconfig.co/'s IP, which is currently 188.113.88.193.
On Windows, after connecting to the VPN, visit http://ifconfig.co/ in your browser to verify that the VPN is on.
Then, start a command prompt as Administrator and run:

Code: Select all

route add 188.113.88.193 mask 255.255.255.255 192.168.1.1

That will tell windows to use the gateway 192.168.1.1 for the IP 188.113.88.193, instead of the default gateway which is currently the one set by OpenVPN.
If needed, you can also use subnet masks such as 188.113.88.0/24 to instead exclude an entire C class of IPs.

To verify that it's working, go to http://ifconfig.co/ again and you should see your real IP.
To verify that it's only excluding that website, you can use http://checkip.dyndns.org/ or https://cryptostorm.is/ip and you should get the VPN's IP.

Once the exclusion is no longer needed, you can remove that route with:

Code: Select all

route delete 188.113.88.193

On Linux, the command to add the route would be:

Code: Select all

route add -host 188.113.88.193 gw 192.168.1.1

and to delete:

Code: Select all

route del -host 188.113.88.193

Obviously, doing this presents a risk to your anonymity since the IP you're excluding will see your real IP.
If you're connecting to that IP using any plaintext protocol, it could be monitored or hijacked.

I have no plan to add this type of split tunneling feature to the widget, since most people don't need it.
The few that do can use the above commands.

[marzametal]

Still, a good bit of info... thanks!

[parityboy]

@marzametal

Haven't seen you around in a little while, how's things?

[marzametal]

@marzametal

Haven't seen you around in a little while, how's things?

Yeah, I've got a bit going on behind the scenes, which is keeping me away from the PC. Overall, still alive (I think)! How's your side treating you?

Hoping the CS Router will be out soon. Bit apprehensive about this

[parityboy]

@marzametal

Haven't seen you around in a little while, how's things?

Yeah, I've got a bit going on behind the scenes, which is keeping me away from the PC. Overall, still alive (I think)! How's your side treating you?

Hoping the CS Router will be out soon. Bit apprehensive about this

Yeah, all's good here, still keeping my life glued together lol. Cheers for the link.