Title: OpenVPN on OpenBSD in its own rdomain to prevent data leak
Author: Solène
Date: 16 December 2021
Tags: openbsd openvpn security
Description: This article explains how to prevent programs to access
the Internet through a non VPN interface.
# Introduction
Today I will explain how to establish an OpenVPN tunnel through a
dedicated rdomain to only expose the VPN tunnel as an available
interface, preventing data leak outside the VPN (and may induce privacy
issues). I did the same recently for WireGuard tunnels, but it had an
integrated mechanism for this.
Let's reuse the network diagram from the WireGuard text to explain:
```network diagram in text
+-------------+
| server | tun0 remote peer
| |---------------+
+-------------+ |
| public IP |
| 1.2.3.4 |
| |
| |
/\/\/\/\/\/\/\ |OpenVPN
| internet | |VPN
\/\/\/\/\/\/\/ |
| |
| |
|rdomain 1 |
+-------------+ |
| computer |---------------+
+-------------+ tun0
rdomain 0 (default)
```
We have our computer and have been provided an OpenVPN configuration
file, we want to establish the OpenVPN toward the server 1.2.3.4 using
rdomain 1. We will set our network interfaces into rdomain 1 so when
the VPN is NOT up, we won't be able to connect to the Internet (without
the VPN).
# Network configuration
Add "rdomain 1" to your network interfaces configuration file like
"/etc/hostname.trunk0" if you use a trunk interface to aggregate
Ethernet/Wi-Fi interfaces into an automatic fail over trunk, or in each
interface you are supposed to use regularly. I suppose this setup is
mostly interesting for wireless users.
Create a "/etc/hostname.tun0" file that will be used to prepare the
tun0 interface for OpenVPN, add "rdomain 0" to the file, this will be
enough to create the tun0 interface at startup. (Note that the keyword
"up" would work too, but if you edit your files I find it easier to
understand the rdomains of each interface).
Run "sh /etc/netstart" as root to apply changes done to the files, you
should have your network interfaces in rdomain 1 now.
# OpenVPN configuration
From here, I assume your OpenVPN configuration works. The OpenVPN
client/server setup is out of the scope of this text.
We will use rcctl to ensure openvpn service is enabled (if it's already
enabled this is not an issue), then we will configure it to use rtable
1 to run, this mean it will connect through the interfaces in the
rdomain 1.
If your OpenVPN configuration runs a script to set up the route(s)
(through "up /etc/something..." directive in the configuration file),
you will have to by add parameter -T0 to the command route in the
script. This is important because openvpn will run in rdomain 1 so
calls to "route" will apply to routing table 1, so you must change the
route command to apply the changes in routing table 0.
```instructions
rcctl enable openvpn
rcctl set openvpn rtable 1
rcctl restart openvpn
```
Now, you should have your tun0 interface in rdomain 0, being the
default route and the other interfaces in rdomain 1.
If you run any network program it will go through the VPN, if the VPN
is down, the programs won't connect to the Internet (which is the
wanted behavior here).
# Conclusion
The rdomain and routing tables concepts are powerful tools, but they
are not always easy to grasp, especially in a context of a VPN mixing
both (one for connectivity and one for the tunnel). People using VPN
certainly want to prevent their programs to not go through the VPN and
this setup is absolutely effective in that task.