Use VPN setup for ports, not IP (or as browser proxy)

[Grundy]

I have Open VPN set up and working with PIA. In addition to having routing for a local IP (done), I would also like to use it to protect a port (80, 443, 563, etc).

Is this possible? The reason is I would like to protect some traffic, while leaving things like games, FTP (for work), etc, untouched. If there is some reverse mapping option (where only specific ports AREN'T included), the problem there would be I may not know all the ports in use that I don't want blocked.

Better yet would be just be to just use the browser proxy settings to achieve this (with the router as the proxy), but I can't find any direction on this. I am using Foxy in FireFox to use the PIA socks5, but it's already more headache than solution (starting with Google Netherlands results).

 

[Grundy]

I found a temp solution, using my DiskStation as a proxy server, and the DS is routed to be under the VPN. I'd still like some port-filter or router proxy option, if possible, since I know, unlike the DS, the router will always be on if I am online.

 

[Martineau]

I'd still like some port-filter or router proxy option, if possible...

Selective Port routing?

The DS proxy is possibly more reliable as the GUI Parental Control / Newtwork Services Firewall and Trendmicro DPI engine can/will flush the fwmarks etc. ...but old-skool use of fwmark (managed in nat-start) may be a viable solution?

Setup the appropriate RPDB rules:

ip rule add from 0/0 fwmark 0x7000 table main   prio 20000
ip rule add from 0/0 fwmark 0x1000 table ovpnc1 prio 20001

Then (as a silly test) you can force ALL ports except 'protected' ports FTP,SSH,Telnet and 563 via VPN Client 1
i.e.

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport ! --dport 21:23,563 -j MARK --set-mark 0x1000/0x1000

So then try to access https://ipleak.net / http://www.check-my-ip.net/ from any non-VPN routed device and port 443/80 will be shown using the VPN.

Alternatively you can explicitly force only the 'protected' ports via the VPN
e.g.

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 21:23,563 -j MARK --set-mark 0x1000/0x1000

Hopefully you get the idea.....
i.e.

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport ! --dport 80,443,563 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport   --dport 80,443,563 -j MARK --set-mark 0x7000/0x7000

However, depending on the number of ports to be checked (if you are on ARM using Ipset v6) it may be more efficient to create an IPSET rather than have multiple (individual) PREROUTING port rules. (NOTE: May not be quite as easy to debug!)
e.g.

ipset create ProtectedPorts bitmap:port range 0-1024
ipset add ProtectedPorts 80
ipset add ProtectedPorts 443
ipset add ProtectedPorts 563

so rather than have mutiple -t mangle rules, simply add/remove member 'protected' ports from the IPSET and the following rule will cover all of the ports.
e.g.

iptables -t mangle -A PREROUTING -i br0 -p tcp m set matchset ProtectedPorts dst,dst -j MARK --set-mark 0x1000/0x1000

or

iptables -t mangle -A PREROUTING -i br0 -m set ! --match-set ProtectedPorts dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -m set   --match-set ProtectedPorts dst -j MARK --set-mark 0x1000/0x1000

P.S. You could of course also create an IPSET UnProtectedWANPorts etc. if it makes it easier to read!
NOTE: Depending on your requirements, you may need to qualify the rules with the I/P address of the protected device, and may increase the priority of the RPDB rules from 20000/20001 to 9990/9991.

 

[Grundy]

Thank you for all the detail. That was very helpful and enlightening. I had a chance to play around a bit, and I learned that port rules may not be the best fit for my environment. The problem turned out to be work-related things where certain sites are expecting me by IP, and things were getting thrown off. In the end, to protect family usage and just my private Firefox browsing, the DS proxy worked best.

That said, I would still be very interested in a Merlin/ASUS proxy option. Having that run alongside the OpenVPN would make a powerful security combo.