VLAN bouwen dat wordt gerouteerd naar een VPN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Define names
~~~~~~~~~~~~

File /etc/iproute2/rt_tables should look like:

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
1 VPN
2 BLACKHOLE

Setting up routing
~~~~~~~~~~~~~~~~~~

Assuming Debian /etc/network/interfaces

Create BLACKHOLE routingtable with defaultroute blackhole:

pre-up ip route add blackhole 0.0.0.0/0 table BLACKHOLE

Let all traffic with fwmark 0x1 use this table:

pre-up ip rule add from all fwmark 0x1 lookup BLACKHOLE

Let all traffic with fwmark 0x1 use table VPN (currenlty empty):

pre-up ip rule add from all fwmark 0x1 lookup VPN

Marked traffic will consult the VPN routing table, will not find anything
there and therefore will consult the BLACKHOLE table and will be sent to the
blackhole.

Updating route once the VPN comes up
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This should be run in the script that establishes the VPN connection.

First, cleanup the routingtable:

ip route flush table VPN

Then add defaultroute:

ip route add default via $ifconfig_local dev tun0 table VPN


Fix DNS
~~~~~~~

Applications send their DNS request by default to the server(s) listed in
/etc/resolv.conf . This DNS server is usually not reachable over the VPN
(unless you use 8.8.8.8).

A chain VPNDNS should be created in 'iptables -t nat'. All packets for
that will go to the VPN and that is directed to udp port 53 should be directed
to this chain. For example: