Considering a computer with 2 network interfaces (e.g. wifi and ethernet), we would like to access different networks with theses 2 interfaces.
To list the network interfaces use ip link show, ip a or nmcli device status. For example, here we have enp33s0 on ethernet and wlx001d7e04f411 on wifi:
<cli> $ nmcli device status DEVICE TYPE STATE CONNECTION docker0 bridge connected docker0 virbr0 bridge connected virbr0 enp33s0 ethernet connected Wired connection 1 wlx001d7e04f411 wifi connected Livebox-6246 lo loopback unmanaged – virbr0-nic tun unmanaged – $ </cli> We will set specific routes and rules for the wifi interface. First we have to define a new policy routing table that we call wifisplit: <cli> $ sudo su # echo “1 wifisplit” » /etc/iproute2/rt_tables # exit </cli> Then we remove wifi interface from main (default) table to put it in wifisplit table : <cli> $ sudo ip route del 192.168.1.0/24 dev wlx001d7e04f411 src 192.168.1.37 table main $ sudo ip route del default via 192.168.1.1 dev ${wifi} table main </cli> The IP of the wifi interface is 192.168.1.37 (use e.g. ifconfig wlx001d7e04f411 to get it). We finally have to define the rules to apply to wifisplit routing table : <cli> $ sudo ip rule add to 192.168.1.37/32 table wifisplit $ sudo ip rule add from 192.168.1.37/32 table wifisplitwlx001d7e04f411 </cli> According to links at the end of this page, it should be enough. However, when trying ping 8.8.8.8 with wifi interface we cannot reach the Internet, but it works fine with the ethernet interface (in default table) <cli> $ ping -I wlx001d7e04f411 8.8.8.8 PING 8.8.8.8 (8.8.8.8) from 192.168.1.37 wlx001d7e04f411: 56(84) bytes of data. From 192.168.1.37 icmp_seq=1 Destination Host Unreachable From 192.168.1.37 icmp_seq=2 Destination Host Unreachable From 192.168.1.37 icmp_seq=3 Destination Host Unreachable
— 8.8.8.8 ping statistics — 5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4076ms pipe 4 $ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=208 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=232 ms
— 8.8.8.8 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 208.009/220.139/232.270/12.139 ms </cli>
To solve this we can rule that 8.8.8.8 can be accessed by wifisplit and not by default (ethernet device in main table) :
<cli> $ sudo ip rule add to 8.8.8.8/32 table wifisplit </cli>
We will try this method to have VPN on ethernet device and Internet of wifi device. We start VPN in a terminal : <cli> $ sudo openvpn –config openvpn_client.ovpn </cli> In another terminal, we modify the ip rules to give access to all IP addresses to wifi interface and then we give back to the ethernet interface the VPN network range of IP's : <cli> $ sudo ip rule add to 0.0.0.0/0 table wifisplit $ sudo ip rule add to 172.20.0.0/16 table main </cli> We try to ping the two networks and the results looks like expected : no access to Internet for ethernet interface and access to wifi interface : <cli> $ ping 172.20.1.35 PING 172.20.1.35 (172.20.1.35) 56(84) bytes of data. 64 bytes from 172.20.1.35: icmp_seq=1 ttl=127 time=495 ms
— 172.20.1.35 ping statistics — 2 packets transmitted, 1 received, 50% packet loss, time 1001ms rtt min/avg/max/mdev = 495.106/495.106/495.106/0.000 ms $ ping -I enp33s0 www.google.com PING www.google.com (216.58.201.228) from 192.168.1.19 enp33s0: 56(84) bytes of data. From k2.ensieta.ecole (192.168.1.19) icmp_seq=1 Destination Host Unreachable From k2.ensieta.ecole (192.168.1.19) icmp_seq=2 Destination Host Unreachable From k2.ensieta.ecole (192.168.1.19) icmp_seq=3 Destination Host Unreachable
— www.google.com ping statistics — 5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4508ms pipe 4 $ ping -I wlx001d7e04f411 www.google.com PING www.google.com (216.58.201.228) from 192.168.1.37 wlx001d7e04f411: 56(84) bytes of data. 64 bytes from par10s33-in-f4.1e100.net (216.58.201.228): icmp_seq=1 ttl=54 time=304 ms 64 bytes from par10s33-in-f4.1e100.net (216.58.201.228): icmp_seq=2 ttl=54 time=291 ms 64 bytes from par10s33-in-f4.1e100.net (216.58.201.228): icmp_seq=3 ttl=54 time=237 ms
— www.google.com ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 237.711/277.987/304.919/29.018 ms </cli> However, things are no completely ok as some IP (like www.ensta-bretagne.fr) cannot be accessed by the wifi interface (e.g. wget https://www.ensta-bretagne.fr/zerr/dokuwiki/doku.php?id=network:routes_rules is not working) …
… this remains to be solved.
Another method based on network namespaces may be more appropriate and will be tested too.
The way to do this is inspired from :