Hi,
Simply, being able to dedicate 1 or 2 ethernet ports to WAN and others to LAN could be a solution
Seeing that Asustor has done nothing for permitting users to enable vpn client support only to some programs (e.g. download center; but also other torrent and news hosts) and not to all the traffic through the device, despite persistent requests since 2015, I am trying to find another solution; that is, streaming all the internet traffic in the device through a vpn client but also making it available to my devices on the LAN, without forcing them to use the vpn connection (i.e. internet) to connect to the Asustor device, if I don't want them to use vpn.
Technically, binding one or two of the ethernet interfaces to LAN traffic only and other(s) to vpn router should be possible through configuring the ethernet ports; so I am asking that to be included in ADM, if Asustor doesn't address the vpn client "all traffic or nothing" issue otherwise.
Kind regards,
a more useful vpn client
Moderator: Lillian.W@AST
-
akarali
- Posts: 6
- youtube meble na wymiar Warszawa
- Joined: Tue Sep 22, 2015 6:08 pm
-
father.mande
- Posts: 1815
- Joined: Sat Sep 12, 2015 2:55 am
- Location: La Rochelle (France)
Re: a more useful vpn client
Hi,
It's NOT the responsibility of the VPN software to bind some application (and not really technically possible)
... so the only option is nothing or change default route for all traffic (and this option is managed by VPN BUT NOT in the VPN software itself (it's an ip route change directive ip is the tools to manage network in Linux))
Outside of VPN it's possible :
... if you know the target I.P. address or range ... to create a firewall rules using iptables command
... ... but some server / services use a "common" unique name for multiple I.P. (like google) ... so it's complex in some case
... Another choice is for application (server or client) able to bind internally traffic to a specific output way
... ... only a very few application (client) are build to be able to select a specific output I.P. (but some exist) ... BUT lot of server can have it
... ... Microsoft / Apple / NFS netwroking ; FTP, ISCSI, TFTP ; SSH, Telnet, SNMP ; Web, SQL, Sync ... etc.
... ... for this services you can request (if not exist) a menu to bind it ... but not sure it's easy to add dynamic (VPN) interface (broken interface can break server)
... on modern kernel the real solution is to create a net namespace and run the application INISDE this netns target (ip netns exec interface program)
... ... but it's complex and NEVER can have a generic solution ... because all is dependent of the context ... not based on rules
... ... network namespace works as well on Asustor ... even some action can't because kernel 4.4.x have some restrictions ... but only for package and libraries not build to support netns
... other solution can exist (ex. create an output socket proxy) ... but in all case never with a easy and simple configuration .
The only friendly solution is using namespaces ... because ONLY launch command need to be changed ... not the program ...
Philippe.
It's NOT the responsibility of the VPN software to bind some application (and not really technically possible)
... so the only option is nothing or change default route for all traffic (and this option is managed by VPN BUT NOT in the VPN software itself (it's an ip route change directive ip is the tools to manage network in Linux))
Outside of VPN it's possible :
... if you know the target I.P. address or range ... to create a firewall rules using iptables command
... ... but some server / services use a "common" unique name for multiple I.P. (like google) ... so it's complex in some case
... Another choice is for application (server or client) able to bind internally traffic to a specific output way
... ... only a very few application (client) are build to be able to select a specific output I.P. (but some exist) ... BUT lot of server can have it
... ... Microsoft / Apple / NFS netwroking ; FTP, ISCSI, TFTP ; SSH, Telnet, SNMP ; Web, SQL, Sync ... etc.
... ... for this services you can request (if not exist) a menu to bind it ... but not sure it's easy to add dynamic (VPN) interface (broken interface can break server)
... on modern kernel the real solution is to create a net namespace and run the application INISDE this netns target (ip netns exec interface program)
... ... but it's complex and NEVER can have a generic solution ... because all is dependent of the context ... not based on rules
... ... network namespace works as well on Asustor ... even some action can't because kernel 4.4.x have some restrictions ... but only for package and libraries not build to support netns
... other solution can exist (ex. create an output socket proxy) ... but in all case never with a easy and simple configuration .
The only friendly solution is using namespaces ... because ONLY launch command need to be changed ... not the program ...
Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T