Have Openvpn client to ignore its local lan?

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Hansr
OpenVpn Newbie
Posts: 1
Joined: Fri May 15, 2015 10:19 am

Have Openvpn client to ignore its local lan?

Post by Hansr » Fri May 15, 2015 12:32 pm

Hi. I am using Openvpn-server on Raspbian at home and Openvpn client (the official) on Android 4.2 on i9300 smartphone.

The situation where I use Openvpn on my phone is when I am connected to any open wifi network e.g. in a Hotel or Cafe. I then tunnel all network access thru my home. In this situation it is never needed to access the local LAN.

incidentely I get IP-conflicts between local and remote LAN. I read about changing to a lesser generally used IP numbering on my own LAN, but I had rather change my Openvpn configuration to just block the local LAN where the client is and thus make sure there will never be a conflict again.

Is there anything I could configure on server or client to get this?

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Have Openvpn client to ignore its local lan?

Post by Traffic » Sat May 16, 2015 3:56 pm

This is the default operating mode for OpenVPN ..

If you do not use a full PKI (certs & keys) and do not use any --iroute statements in a client-connect-dir file .. then any packets from the client LAN will be dropped by the server.

Use --verb 4 in your server config and you will see when packets are dropped ..

As for network conflicts you are strongly advised to change your server network ..

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Have Openvpn client to ignore its local lan?

Post by Traffic » Mon May 18, 2015 5:02 pm

In fact, you do need a full PKI with CA, Certificate and key and --mode server and --tls-server

In point2point mode the "server" end can route "client" LAN without --iroute and vice-versa ..

Essentially .. use --server in your server config but no --iroute in your CCD file.

To avoid network conflicts you can also try:
The Manual wrote:--client-nat snat|dnat network netmask alias
  • This pushable client option sets up a stateless one-to-one NAT rule on packet addresses (not ports), and is useful in cases where routes or ifconfig settings pushed to the client would create an IP numbering conflict.
See --client-nat in The Manual v23x

Post Reply