openvpn - How to set client to use local gateway? aka use connection for resources on its network only

networking vpn dns routing openvpn
21,363

This is called Split tunneling.

As you have created your own OpenVPN server, you can enable split tunneling on Windows by editing your config files.

Remove redirect-gateway def1 in your OpenVPN server config file (server.conf). In the client config (client.ovpn or client.conf), add a line similar to:

route 12.12.12.0 255.255.255.0 vpn_gateway

This routes the 12.12.12.0 subnet through the VPN connection and everything else out of the non-VPN connection.

Many variations exist on this scenario. If you want to set the VPN as your default interface, excluding LAN addresses, then set the VPN as your default gateway, but add route commands for LAN IPs to go through your local gateway (router etc).

Share:
21,363
gerpaick
Author by

gerpaick

Updated on September 18, 2022

Comments

  • gerpaick
    gerpaick over 1 year

    sorry for this question, i tried to find a solution but nothing. I want to configure clients to use local gateway, not server's one. I just need to configure clients in way that they can see each other, but using local gateways.

    here is my server.con file:

    port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

    and client.conf file on server: 

    ifconfig-push 10.8.0.99

    and here is client.ovpn on client pc:

    client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote a.b.c.d 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3

    when i connect with this configuration, all traffic from client goes via vpn server. and i dont want that.

    when on sever i look into /var/log/syslog i find:

    Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 TLS: Initial packet from [AF_INET]x.x.x.x:40795, sid=0fbd888b 778a14e6
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 CRL CHECK OK: CN=ChangeMe
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 VERIFY OK: depth=1, CN=ChangeMe
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 CRL CHECK OK: CN=gerard
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 VERIFY OK: depth=0, CN=gerard
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 [gerard] Peer Connection Initiated with [AF_INET]x.x.x.x:40795
Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: new connection by client 'gerard' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI_sva: pool returned IPv4=10.8.0.99, IPv6=(Not enabled)
Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: Learn: 10.8.0.99 -> gerard/x.x.x.x:40795
Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: primary virtual IP for gerard/x.x.x.x:40795: 10.8.0.99
Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 PUSH: Received control message: 'PUSH_REQUEST'
Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 send_push_reply(): safe_cap=940
Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 SENT CONTROL [gerard]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.99 255.255.255.0' (status=1)

    and the end of this file there is PUSH_REPLY,route-gateway 10.8.0.1 but u didnt set it anywhere.

    what am i missing?

    please help!

    • harrymc
      harrymc over 6 years
      Please give the entire output of route print (upload it somewhere if too long). You apparently miss on the client a route for the LAN, for it not to go via the VPN.
    • gerpaick
      gerpaick over 6 years
      I edited my question to be more accurate. I hope.
    • gerpaick
      gerpaick over 6 years
      I want my clients after connecting to VPN to use their own gateways for the internet, and that they are able to see each other on vpn network.
    • Vomit IT - Chunky Mess Style
      Vomit IT - Chunky Mess Style over 6 years
      Consider looking into softether.org if you can or have time. It's much more straight forward and simpler to setup than OpenVPN. It too is Open Source so you can see all the code if needed.
  • gerpaick
    gerpaick over 6 years
    i dont have redirect-gateway def1 in my server.conf file. so i added route 10.8.0.0 255.255.255.0 10.8.0.1 to client.ovpn. I restarted both client and server, but still my all outgoing connection go via 10.8.0.1.
  • gerpaick
    gerpaick over 6 years
    On pptp vpn connection there is an option in windows 'use default gateway on remote network'. if it's not checked i can see computer in vpn lan, and default connection is via local gateway. is there anything similiar in opvnvpn?
  • harrymc
    harrymc over 6 years
    The above route command says that everything from 10.8.0.X should pass via 10.8.0.1. If you wish for it to go elsewhere, specify another gateway.
  • harrymc
    harrymc over 6 years
    You should specify as gateway the one that is used by the devices in your LAN. Typically this is the router.
  • Jespertheend
    Jespertheend over 2 years
    If I do this I can no longer connect to other clients even though I have client-to-client set. The only thing the route does for me is make sure I can connect to localhost via my assigned private ip.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenVPN client not getting DNS information
openconnect is connected but does not use the right dns
Network only using one DNS when connected to VPN
Ubuntu 18.04 systemd-resolve doesn't read the /etc/resolv.conf properly
OpenVPN connecting but no internet access on Ubuntu 16.04 / 18.04 / 20.04
Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04
Enable DNS Hostname resolution with OpenVPN and DNSMasq
Only routing certain traffic through VPN
OpenVPN without NAT
Yet another routing issue in OpenVPN - Cannot access local machines while on VPN