OpenVPN Support Forum

Hello all,

I'm working on a network that has a /24 management network within a larger /16 network. The openvpn client has an ip within the /24. I want to route for example 10.255.0.0/16 through the tunnel with the exception of the IP on assigned to the client interface. I tested the directive "redirect-gateway block-local def1" but I don't want all the traffic going down the tunnel just the 10.255.0.0/16 connections (minus the ip on the interface). Anyone aware of a directive that will support such a thing? Ex. push 10.255.0.0/16 block-local

Gracias,

sp.

Try placing routes in an up script.

Example:

ip rule add from 10.255.252.0/23 lookup tun0
ip rule add from 10.255.248.0/22 lookup tun0
ip rule add from 10.255.240.0/21 lookup tun0
ip rule add from 10.255.224.0/20 lookup tun0
ip rule add from 10.255.192.0/19 lookup tun0
ip rule add from 10.255.128.0/18 lookup tun0
ip rule add from 10.255.0.0/17 lookup tun0

This will exclude 10.255.254.0/24 from being routed down the tunnel and will cover everything else in the 10.255.0.0/16 subnet.

Renumber according to your own needs.

Gracias

sp.

staticprop wrote: ↑

Fri Apr 12, 2019 1:25 am

I want to route for example 10.255.0.0/16 through the tunnel with the exception of the IP on assigned to the client interface

Or --push that from the server.

Push route 10.255.0.0 255.255.0.0 will not exclude the /24 within the 10.255 network. The poster wanted to exclude th management network from routing down the tunnel.

According to the OPs original question, the answer I gave should work.

How about firewall rules?
Wouldn't that be the proper way?

Using a firewall can stop traffic for the "management network" going via the tunnel

The post by hackerm solved the issue. It allows me to route everything down the tunnel except for the /24 management network within the same larger /16 subnet. Using route 10.255.0.0 sends everything down the tunnel and breaks the connection soon after the tunnel is setup. This is because the IP on the VPN server acting as the client is an IP on this /24.

When your client is connected, can he set a route to the management network.....?
I would still use firewall...

staticprop wrote: ↑

Fri Apr 12, 2019 1:25 am

I want to route for example 10.255.0.0/16 through the tunnel with the exception of the IP on assigned to the client interface

I am not even going to try to understand what this means without the prerequisite information.

openvpn server acting as a client has an IP address of 10.255.254.1. This is the source IP that makes a connection to the remote server. 10.255.254.0/24 is the management network. After the VPN is established the local host tries to send vpn connnection packets to the remote server down the tunnel and the connection breaks. Also the local host (10.255.254.1) can no longer reach the internet. I just wanted to exclude this /24 from getting routed down the tunnel. Using a firewall will do nothing to stop this if there is a route on the server sending it down the tunnel. My packets will get dropped.

staticprop wrote: ↑

Wed Apr 17, 2019 12:34 am

openvpn server acting as a client

staticprop wrote: ↑

Fri Apr 12, 2019 1:25 am

I'm working on a network that has a /24 management network within a larger /16 network. The openvpn client has an ip within the /24

Which client ?

Please see:
viewtopic.php?f=30&t=22603

OpenVPN community edition running on Linux no GUI running in client mode.

Hi there. Thanks for the useful information.