I have two network links to a potential skype-using friend - one over a VPN (slowish, due to the encryption involved), and one across an ADSL link (quicker). We are both behind NATted firewalls.

Whenever I try to contact this friend through skype, the comms are always routed across the VPN. This is fine, but since we don't care about the security of the conversations, the overhead imposed by the VPN is unwelcome.

Is there any way I can tell skype to use the ADSL link, rather than the VPN?

To phrase this another way, when my skype app advertises my availability, how can I get it to advertise my location as the ip address of my public gateway, rather than advertising my internal, VPN-accessable IP address?

Regards,

Red.

This is a matter of correctly configuring your VPN client/router. It seems that your VPN is configured as the default route for all your traffic. If you're running something like a SonicWALL VPN client on the PC, make sure that your policy is configured to only route traffic to the remote VPN firewall that is intended for that network. Route all other traffic over the base ADSL. In cases where your company has a DMZ outside the firewall, e.g., HTTP or FTP servers, make sure that you override the DMZ subnet to route via the ADSL.

hi,

Can you give us more information about your VPN ? private ip adress, gateway... what kind of VPN (PPTP, SSH, IPSec...) ? what material (linux, cisco...) ?

Could you provide your net layout between both hosts in a graph, as it's not clear from your description...

[You - VPN] ============ [ VPN - Friend]
[You - LAN] --- NAT ============= NAT --- [LAN - Friend]

Am I right with my interpretation of you setup ("You" is your machine, "Friend" is your friend's machine, I did split it into 2 lines as multiline-ascii graphs is not easy with non-fixed character widths)

If my interpretation is right, then it's surprising that Skype uses the VPN. If skype uses the VPN, then your router may not be setup correctly, and all your internet traffic with go through the VPN (or your friend's traffic goes through it and out through your internet connection)

Yes I agree with Bonbons, your network (router) has a bad configuration !
It must separate Internet and local traffic (VPN) ...

Unfortunately, no - I wish it were that simple. The default route on the gateway machine is to my adsl link to the internet.

I'll provide a few more details however.. Ip addresses are made up, but are representative.

System 1 (me): 10.0.0.1 (behind a nat gateway)
System 2 (target): 10.0.1.1
Gateway 1 internet IP address: 150.101.101.101 (iptables firewall)
Gateway 2 internet IP address: 150.101.101.102 (iptables firewall)

important gateway routes (note the 10.0.1.0/24 route through encrypted tun0):


The only thing that will go across the vpn is packets for 10.0.2.2 (gateway 2 IP) and 10.0.1.* (network on the other side of the gateway)

Or, in graphical (simplified) form:


So in order to get to the target system, we could either go through the gateway, over ppp0, from 10.0.0.1 (me) through 150.101.101.101 (gate 1), across the internet to 150.101.101.102 (gate 2), to 10.0.1.1 (target)... or alternatively, from 10.0.0.1 to gateway 1, over the encrypted VPN (tun0), through gateway 2 (10.0.2.2), to 10.0.1.1.

It seems as though skype is choosing the second alternative every time, rather than going through the unencrypted default route.

The only thing I can think of, is that firewall rules on gateway 1 & 2 are blocking the initial 'call notification', and that skype is falling back to the 'backup pathway' over the VPN, which doesn't have quite as many firewall rules to trouble it.

If I have two skype clients, both behind firewall-protected NAT gateways, do I need to open up any ports on the gateways to allow the 'call notification' to go through? I would assume that this would be the case, but the documentation I've read on skype thus far, seems to imply that this approach is not needed.

Any help is appreciated,

Red.

What you do not say is how the other gateway is configured...


Skype should not need that much special tratment, just it's target port (as set in the target's conection options) must (should, as otherwise Skype may use relays) be reachable, as ports 80 and 443 are not available under Linux (well, I'm guessing you are NOT running Skype as root ;-))

For me, I have 2 computers on same LAN, and did try to send a file but got it relayed, don't know why Skype did not want to do the direct connection... At most it could be that both got their DHCP from different servers, and thus maybe one has a default gateway more than the otherone (but at least one common default gateway)

Identically, but with destinations/addresses reversed obviously. Default route is through ppp0, with only 10.0.0.* and 10.0.2.1 heading through the VPN.



By 'reachable', you mean 'open at the firewall, and forwarded to the target skype host' (or to phrase it another way, poke a hole through the firewall for that particular port)?

ie: force skype to use a high-end port (eg: 12345) on both systems, and tell both firewalls to forward port 12345 to the internal system (10.0.0.1, and 10.0.1.1 respectively)).

This would be logical based on the normal setup/teardown characteristics of most protocols/stateful firewalls, and would be what I would have to implement for similar applications/capabilties (eg: gnomemeeting / bittorrent)..

.. actually, in retrospect, perhaps not port 12345.. since there might be a few netbus-blocking-routers still hanging around



Accurate assumption *shudder*

Red.

At least Skype should have free access to internet as a client, no restrictions on it's outgoing connections. Incoming should be possible at least on one of both sides. You could even block the Skype port for the VPN to force skype the other way round.


But it happens, just browse the forums to see examples!