Routing everything except a certain IP range through an OpenVPN tunnel
Solution 1
It appears as if after doing some more research, based on grawity's answer that more specific routes will take precedence, after the server's PUSH i can simply do a
--route [ip to bypass] 255.255.255.0 net_gateway
net_gateway as defined in the 'route' directive in the openvpn man page will resolve to the pre-existing ip default gateway
Solution 2
Simply add another route, and it will take precedence over less-specific ones:
172.16.* translates to 172.16.0.0 with netmask 255.255.0.0:
route add 172.16.0.0 mask 255.255.0.0 if index
where index is the index of your LAN network interface as shown by route print. For example, 0x3 or similar.
Related videos on Youtube
08 : 20
10 : 09
17 : 23
08 : 28
29 : 08
abond
I'm in a committed relationship with good code, so if we go out it will only be as friends. Feel free to contact me by email at mk.stackexchange<a>caesay.com
Updated on September 18, 2022Comments
-
abond almost 2 years
I've been working with my OpenVPN server for a while, and I have a rather interesting problem. I need to redirect all client traffic through the tunnel except for a couple IP's that need to be resolvable locally. The way I'm doing this is pushing these routes from the server:
Server 'PUSH' directives
push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"I'm seeing that translating into these Windows routes:
Windows routes occurring
Wed Aug 31 15:14:35 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5' Wed Aug 31 15:14:35 2011 ROUTE default_gateway=192.168.1.254 Wed Aug 31 15:14:40 2011 C:\WINDOWS\system32\route.exe ADD 199.[*.*.*] MASK 255.255.255.255 192.168.1.254 Wed Aug 31 15:14:40 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5 Wed Aug 31 15:14:40 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5 Wed Aug 31 15:14:40 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5I've hidden my server's IP beginning with 199 for security purposes.
What I've gathered
I'm assuming that 0.0.0.0 is a kind of code for "everything," so I'm not sure how I could get this to work, but the general idea is that I need a specific IP range (
172.16.*) to be resolvable on the LOCAL NETWORK (of the client) meaning it does not go through the VPN tunnel and the client can connect to172.16.*locally.Is this possible? Routes can be executed through the command line, server "push" or client config options. Any way to get this to work while still routing other traffic through would do, really.
Additional Info
I have the server running on Debian 64-bit and the client running on Windows 7 (although Vista needs to work as well).
Client/server configs can be provided if needed.
-
user1686 almost 13 yearsTechnically 0.0.0.0 only means "everything" when added with a 0.0.0.0 netmask, or "/0". In your case, two more-specific routes (0.0.0.0/1 and 128.0.0.0/1) are added instead; the end result is the same (all addresses matched), but the added routes take priority over a "default" 0.0.0.0/0 route. You are still correct, though.
-
-
Ludovic Kuty over 6 yearsYou can do a push for that route too :
push "route [ip to bypass] 255.255.255.0 net_gateway". -
Ludovic Kuty over 6 yearsBut you have to know the interface. That also means the VPN server does not push the route itself.
