One OpenVPN client that optionally tunnels gateway traffic

[cqfast]

I currently have two wireless routers configured as OpenVPN clients tunneling to the same server running two OpenVPN service instances; router1 client tunnels only the private 10.11.0.0 network traffic, and router2 client tunnels all network traffic. With this setup, I can choose whether my wired/wireless devices get fully tunneled or not by choosing which router to connect to.

But I want to know whether I can have this same choice using only one router and OpenVPN client. My hope is that different routing rules would be chosen according to the gateway used by the wired/wireless device. The router1 has a LAN address (say 192.168.1.1) which is the gateway normally used by the wired/wireless devices, but the router1 also has an OpenVPN address (say 10.11.0.6) that can successfully be used as a gateway address by the wired/wireless device. Is it possible to write iptables rules such that *all* traffic coming to the OpenVPN gateway address 10.11.0.6 gets tunneled, but traffic coming to the 'regular' gateway 192.168.1.1 gets routed normally (tuneled only if the destination is the network 10.11.0.0)?

[Traffic]

You could try two client configs on your client ..

one which redirects the default gateway - add to client config:

Code: Select all

redirect-gateway def1 bypass-dhcp

and one which does not.

[cqfast]

As far as I know, my wireless router (dd-wrt firmware) permits only one OpenVPN client config. But if the router permitted two simultaneous OpenVPN client connections, I would still be left with my original puzzle of how to choose either the fully-tunneled or partly-tunneled pathway from a wired/wireless device that is connecting to the router.

I think I am wanting to manually build the routing rules that would otherwise happen automatically with the "redirect-gateway" OpenVPN config line. And I am hoping that I can build the routing rules such that a wired/wireless device can choose whether or not to be fully-tunneled. Instead of my original idea of choosing different gateway addresses from the wired/wireless device, perhaps I could choose the source address: so any traffic from 192.168.1.248/29 gets fully-tunneled by the router while all other traffic gets partly-tunnneled.

Does anyone know the routing/iptables rules that are applied to the OpenVPN client when the "redirect-gateway" option is being used? Is it reasonable for me to attempt to mimic them manually?

[Traffic]

Does anyone know the routing/iptables rules that are applied to the OpenVPN client when the "redirect-gateway" option is being used? Is it reasonable for me to attempt to mimic them manually?

OpenVPN does not manipulate iptables, however, you can mimic the actions of --redirect-gateway: See --redirect-gateway in The Manual v23x

so any traffic from 192.168.1.248/29 gets fully-tunneled by the router while all other traffic gets partly-tunnneled.

It might be possible to do this with iptables on the client router but I do not know how .. sorry.