Here is my setup:
Internet - router - Unix router - VPN1 - VPN2 router: 192.168.2.1/24 Unix router: 192.168.2.55/24 VPN1: 10.0.1.0/24 (Unix router: 10.0.1.10) VPN2: 10.0.2.0/24 (Unix router: 10.0.2.10) Whatever I try, I keep getting some packets being misdirected on one VPN or the other, or even through the direct connection. I tried using connmark without success.
The default outgoing connection from my Unix router needs to be through the direct connection, not the VPNs.
I also would like to be able to get some traffic directed from either VPNs to my Unix router. That's where it gets complicated to control the reverse path correctly.
It doesn't matter if the VPN servers have access to the 192.168.2.0/24 LAN but it would be a nice to have.
Can anyone point me in the right direction using iptables or iproute2?
Here is my current results with OpenVPN's iroute option set:
# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp4s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:1b:21:4e:3d:8a brd ff:ff:ff:ff:ff:ff 3: enp4s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:1b:21:4e:3d:8b brd ff:ff:ff:ff:ff:ff 4: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether 00:23:54:27:2b:c5 brd ff:ff:ff:ff:ff:ff inet6 fe80::223:54ff:fe27:2bc5/64 scope link valid_lft forever preferred_lft forever 5: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:23:54:27:2b:c5 brd ff:ff:ff:ff:ff:ff inet 192.168.2.55/24 brd 192.168.2.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::223:54ff:fe27:2bc5/64 scope link valid_lft forever preferred_lft forever 6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:7d:a4:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe7d:a4f6/64 scope link valid_lft forever preferred_lft forever 7: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:41:24:60 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe41:2460/64 scope link valid_lft forever preferred_lft forever 18: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.0.2.10 peer 10.0.2.1/32 scope global tun2 valid_lft forever preferred_lft forever 19: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.0.1.10 peer 10.0.1.1/32 scope global tun1 valid_lft forever preferred_lft forever # ip route default via 192.168.2.1 dev br0 metric 5 10.0.1.0/24 via 10.0.1.1 dev tun1 10.0.1.0/24 via 10.0.2.1 dev tun2 10.0.1.1 dev tun1 proto kernel scope link src 10.0.1.10 10.0.2.0/24 via 10.0.1.1 dev tun1 10.0.2.0/24 via 10.0.2.1 dev tun2 10.0.2.1 dev tun2 proto kernel scope link src 10.0.2.10 104.223.87.195 via 192.168.2.1 dev br0 192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.55 204.44.85.107 via 192.168.2.1 dev br0
ip addrandip routeafter starting the VPN tunnels, and describe what exactly you have done with "different means".