OpenVPN enable split tunneling, client to overload over their own Internet connection
I've done something similar recently.
But as I have to choose between redirecting all traffic and only the vpn traffic.
I have configured it in the client.ovpn file.
So I have 2 files.
One to redirect all traffic through VPN (unsecured networks)
And another for split tunneling (secure networks).
I only add follow lines in client.ovpn
Method 1:
Add this line to the client.conf file or add --route-noexec
in openvpn linecommand
route-noexec
(Client's Route table with this option)
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 302 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 302 0 0 wlan0
And curl ipinfo.io
shows real client location.
Method 2:
Add this lines to the client.conf file
route-nopull
route 0.0.0.0 128.0.0.0 net_gateway
route 128.0.0.0 128.0.0.0 net_gateway
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 128.0.0.0 UG 0 0 0 wlan0
0.0.0.0 192.168.1.1 0.0.0.0 UG 302 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 192.168.1.1 128.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 302 0 0 wlan0
And curl ipinfo.io
shows real client location.
Your Case.
If you add this lines in client.conf file
route-nopull
route 172.16.0.11 255.255.255.255 vpn_gateway
route 172.16.0.3 255.255.255.255 vpn_gateway
route 0.0.0.0 128.0.0.0 net_gateway
route 128.0.0.0 128.0.0.0 net_gateway
I test it in one of my clients and:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 128.0.0.0 UG 0 0 0 wlan0
0.0.0.0 192.168.1.1 0.0.0.0 UG 302 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 192.168.1.1 128.0.0.0 UG 0 0 0 wlan0
172.16.0.3 10.8.0.1 255.255.255.255 UGH 0 0 0 tun0
172.16.0.11 10.8.0.1 255.255.255.255 UGH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 302 0 0 wlan0
And curl ipinfo.io
shows real client location.
Related videos on Youtube
Jim
Updated on September 18, 2022Comments
-
Jim over 1 year
I am trying to enable split tunneling with my VPN network. I am using OpenVPN to host my VPN network and have follwed the steps to get split tunneling working however my clients still get the: 0.0.0.0 {VPN local address} push
Here is my server.conf file on the OpenVPN server, which has a real public interface with a real IP.
port 1194 proto udp dev tun #ssl stuff ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/dh2048.pem #server statement and subnet for VPN IPs /24 for simplicity server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt # for persistant IPing of VPN clients push "route-nopull" push "route 172.16.0.11 255.255.255.255 vpn_gateway" #internal node i want VPN clients to have access to push "route 172.16.0.3 255.255.255.255 vpn_gateway" #internal node I want VPN clients to have access to push "dhcp-option DNS 172.16.0.3" # so VPN clients use internal dns for resolution client-to-client [rest of config omitted]
Client's Route table where: 172.16.250.10 is the client's VPN address {publicIP} = is the public IP of the client's network {localIP} = is the localIP such as 192.168.x.x of the local network it is on, not the VPN.
Destination Gateway Genmask Flags 0.0.0.0 10.0.0.10 0.0.0.0 UG {publicIP} {localIP} 255.255.255.255 UGH 10.0.0.0 10.0.0.10 255.255.255.0 Ug 10.0.0.10 0.0.0.0 255.255.255.255 UH # don't really understand this statement 172.16.0.3 10.0.0.10 255.255.255.255 UGH #from push command in server.conf 172.16.0.11 10.0.0.10 255.255.255.255 UGH #from push command in server.conf {client's localSubnet} 0.0.0.0 255.255.255.0 U
IPTables on the OpenVPN box, this box has the public interface used to accept incoming OpenVPN requests.
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.0/24 172.16.0.3 /* Allow VPN IPs to connect to the internal DNS for resolution */ ACCEPT all -- 10.0.0.0/24 172.16.0.11 /* Allows VPN IPs to connect to homeserver */
I believe these are the only configs involved with VPN connectivity in my setup. So I am a little confused since my VPN clients recieve the explicity push statements into their route tables, however client's still cannot use their local gateway for IP requests not destined for the 10.0.0.0/24 or 172.16.0.0/24 networks..
Thank you for the help and time in advanced.
-Jim
-
deed02392 over 8 yearsI believe you need Nat rules on the vpn server to Nat between clients and the 172 network
-