This is just a personal backup, but if it helps you, that's even better.
- Make linux work as a router.
- For domestic targets, connect them directly.
- For traffic that need to bypass the firewall, use VPN.
- Setup tinc or other vpn as usual(don't forget to enable ip forward sysctl, also use correct user group because I use this to determine if traffic should go direct, in my case its proxy).
- Write the main.nft with additional ipsets.
- Setup nft on tinc-up and node-up.
- Enable nftables service(The debian comes with this) and start it.
- Configure tinc service to run after nftables, also restart with it.
Using nftables is more clear and efficient.
You can setup multiple nodes in tinc, so the whole service will be a reliable tunnel. You can move the node-up and down to tinc-up and down. After setting weights of the nodes, when part of nodes are down, your network connectivity should not be affected.
Add counter inside nft configuration and use nft list ruleset
to watch it.
- After setting up interfaces in tinc-up, apply nft configuration instantly may fail. I guess the interface information has not been updated? My workaround is to
sleep 5
before applying nft.
Special thanks to @dyxushuai for help!