This is a bash script i wrote while trying to find a way to make a sip softphone function reliably in a highly mobile environment. at some point ill do more work on it, and update the notes, but as of my last round of tests, the only mode in which my SIP applications worked reliably was "GLOBAL-on" ie send ALL the traffic from the machine down the tunnel. Feel free to correct me if im wrong and "SG-on" also works as intended.

2011-06-10 IDEA: For other apps like firefox, this script does everything as intended. As i think of it, maybe an idea to implement would be to put EVERYTHING on the VPN and selectively delegate non VPN things off of the VPN. (like an if not wned by group then use alternate table which would direct to local route) This might successfully deal with pesky apps like sip and put everything else on the local network... ill have to look into this later...

Current dependencies:kmod-xtables, iptools

Here are my notes as i left them last:(This script was built and tested on Fedora 13)

###### NOTES
##
## This script will take any traffic from a given usergroup and force it to a specific gateway address. This
## is usefull for those times when you need your sip softfone to use a VPN to get connected to your provider. This
## lets you use your Softphone on any network/hotel/cafe/etc that lets you connect to your vpn. Im sure
## there are plenty of other use cases for this as well.
##
## This scripts has been tested on and assumes you will be using openvpn, but you could likely use others as well.
##
####### Where i got my ideas
## http://www.sparksupport.com/blog/application-based-routing-in-linux
## http://www.linuxhorizon.ro/iproute2.html
## http://linux-ip.net/html/adv-multi-internet.html
## http://www.faqs.org/docs/iptables/traversingoftables.html
## http://www.spinics.net/lists/netfilter/msg47308.html
## http://www.spinics.net/lists/netfilter/msg47313.html
## http://www.spinics.net/lists/netfilter/msg47314.html
##
##
## DEPENDANCIES:
## you will need kmod-xtables-addons for this to work(you need the iptables addon module which enables you to filter by group id)
##
##
##   ####################################################
##   # ***NOTE: This script NEEDS to be RUN AS ROOT!*** #
##   ####################################################
##
##
#### Preflight: (you need to do this stuff ONLY ONCE to make this script work)
#####
######## Once ever
##### sudo groupadd siptunneled
##### sudo gpasswd -a <user_name> siptunneled
#####
##### echo "100 siptable" >> /etc/iproute2/rt_tables
#####
######## Once per boot session (soon to be handled by this script directly)
##### iptables -t mangle -A OUTPUT -m owner --gid-owner siptunneled -j MARK --set-mark 1
##### iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
##### ip rule add fwmark 1 lookup siptable
#####
######## AFTER THE TUNNEL IS UP (done for you)
##### echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter
#####
##
##
######## stuff needed VPN serverside once per boot(or else this wont work)
##### echo 1 > /proc/sys/net/ipv4/ip_forward
#####
#####
##
## After the script has been run, to make your program use the gatway in question simply run
##
## sg siptunneled <Program_name>
##
## Then all traffic from that program should be forced down that specific interface


##iptables ideas (likely no longer needed)
#   iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.25.2.6
#   iptables -t nat -A POSTROUTING -m owner --gid-owner siptunneled -j SNAT --to-source 10.25.2.6
#==>iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#   iptables -t nat -A POSTROUTING -m owner --gid-owner siptunneled -j MASQUERADE
#
#
###Table of known clients
## for this test i used not special port forwarding or other special settings on the vpn or elsewhere unless otherwise noted
##
## as a side note in my extensive switching between vpn on 1 and vpn off, im finding that vpn on 2 makes things sync up faster
##
## Linphone
#### linphone-3.2.1-2.fc13.x86_64
## tested on babytel.ca
## doesnt seem to support outbound proxying - or if it does theres no obvious indication as to how to make this work.
## running on VPN enables outbound calling only(inbound rings but you cannot answer)
## No hacks to make it work
##
## Twinkle (local=IO vpn=IO)
#### twinkle-1.4.2-5.fc13.x86_64
## Had some issues getting it to work but seems to work well on and off of the vpn (im guessing it makes proper use of the outbound proxy setting)
##
##
##
##
## SFLphone
#### sflphone-client-gnome-0.9.12.1-1.1.x86_64
#### sflphone-common-0.9.12.1-1.1.x86_64
## Very nice looking so far only can make outbound calls work on babytel. calls to ekiga.net result in no audio ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ).
## Looks like these guys need to steal a page out of the twinkle and ekiga playbooks
##
##
##
##
##
##


#### Table of cheats
#FLAGS: I=inbound O=Outbound
#
##1## babytel.ca workaround
## tested to work on: sflphone=O
## takes all packets to sip.babytel.ca:5060 and sends them to nat2.babytel.ca:5065
## From my research it looks like babytel wants its packets to be adressed to: sip.babytel.ca:5060
## AND YET come to: nat2.babytel.ca:5065
## Quite disgusting - but is needed to make sflphone work with babytel.ca and likely other clients as well
#
#   iptables -t nat -A OUTPUT -d 216.18.125.3 -p udp --dport 5060 -j DNAT --to 216.18.125.12:5065
#
#
#
#

Attachments:

vpnitall.sh

[vpnitall.sh v0.12]

9 Kb