openvpn - How to set client to use local gateway? aka use connection for resources on its network only
This is called Split tunneling.
As you have created your own OpenVPN server, you can enable split tunneling on Windows by editing your config files.
Remove redirect-gateway def1
in your OpenVPN server config file (server.conf). In the client config (client.ovpn or client.conf),
add a line similar to:
route 12.12.12.0 255.255.255.0 vpn_gateway
This routes the 12.12.12.0 subnet through the VPN connection and everything else out of the non-VPN connection.
Many variations exist on this scenario. If you want to set the VPN as your default interface, excluding LAN addresses, then set the VPN as your default gateway, but add route commands for LAN IPs to go through your local gateway (router etc).
gerpaick
Updated on September 18, 2022Comments
-
gerpaick over 1 year
sorry for this question, i tried to find a solution but nothing. I want to configure clients to use local gateway, not server's one. I just need to configure clients in way that they can see each other, but using local gateways.
here is my server.con file:
port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem
and client.conf file on server:
ifconfig-push 10.8.0.99
and here is client.ovpn on client pc:
client dev tun proto udp sndbuf 0 rcvbuf 0 remote a.b.c.d 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC comp-lzo setenv opt block-outside-dns key-direction 1 verb 3
when i connect with this configuration, all traffic from client goes via vpn server. and i dont want that.
when on sever i look into /var/log/syslog i find:
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 TLS: Initial packet from [AF_INET]x.x.x.x:40795, sid=0fbd888b 778a14e6 Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 CRL CHECK OK: CN=ChangeMe Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 VERIFY OK: depth=1, CN=ChangeMe Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 CRL CHECK OK: CN=gerard Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 VERIFY OK: depth=0, CN=gerard Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 [gerard] Peer Connection Initiated with [AF_INET]x.x.x.x:40795 Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: new connection by client 'gerard' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI_sva: pool returned IPv4=10.8.0.99, IPv6=(Not enabled) Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: Learn: 10.8.0.99 -> gerard/x.x.x.x:40795 Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: primary virtual IP for gerard/x.x.x.x:40795: 10.8.0.99 Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 PUSH: Received control message: 'PUSH_REQUEST' Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 send_push_reply(): safe_cap=940 Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 SENT CONTROL [gerard]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.99 255.255.255.0' (status=1)
and the end of this file there is PUSH_REPLY,route-gateway 10.8.0.1 but u didnt set it anywhere.
what am i missing?
please help!
-
harrymc over 6 yearsPlease give the entire output of
route print
(upload it somewhere if too long). You apparently miss on the client a route for the LAN, for it not to go via the VPN. -
gerpaick over 6 yearsI edited my question to be more accurate. I hope.
-
gerpaick over 6 yearsI want my clients after connecting to VPN to use their own gateways for the internet, and that they are able to see each other on vpn network.
-
Vomit IT - Chunky Mess Style over 6 yearsConsider looking into softether.org if you can or have time. It's much more straight forward and simpler to setup than OpenVPN. It too is Open Source so you can see all the code if needed.
-
-
gerpaick over 6 yearsi dont have
redirect-gateway def1
in my server.conf file. so i addedroute 10.8.0.0 255.255.255.0 10.8.0.1
to client.ovpn. I restarted both client and server, but still my all outgoing connection go via10.8.0.1
. -
gerpaick over 6 yearsOn pptp vpn connection there is an option in windows 'use default gateway on remote network'. if it's not checked i can see computer in vpn lan, and default connection is via local gateway. is there anything similiar in opvnvpn?
-
harrymc over 6 yearsThe above route command says that everything from 10.8.0.X should pass via 10.8.0.1. If you wish for it to go elsewhere, specify another gateway.
-
harrymc over 6 yearsYou should specify as gateway the one that is used by the devices in your LAN. Typically this is the router.
-
Jespertheend over 2 yearsIf I do this I can no longer connect to other clients even though I have
client-to-client
set. The only thing theroute
does for me is make sure I can connect to localhost via my assigned private ip.