How can I change the routes that are created by openvpn?

[julian533]

Hello,
I have implemented an OpenVPN server in the cloud that listens on the TCP port with the " tun" option. Additionally I have activated the Client-to-CLient option. Now I have 2 VMs in the cloud and 2 machines in my local network connected to the server.
All machines form a Kubernetes cluster, which uses the VPN network. My problem is that even when data is exchanged between local machines or between cloud VMs, the data first goes to the VPN server and then back to the respective network. My question is whether it is possible to create special routes for the VPN network, so that when exchanging data from machines that are in the same subnet (in my case the 2 local machines and in the CLoud the 2 VMs), the data is not first sent to the VPN server and then back again.


Any help would be greatly appreciated.

[TinCanTech]

All VPN clients only communicate via the server over the VPN.

You either need a meshed network, which OpenVPN does not do, or route outside the VPN for local traffic.

[julian533]

I am aware that all clients communicate over the VPN. But isn't there a way to create an extra routing table on each client, which changes the route only for the clients in the same subnet?

[TinCanTech]

isn't there a way to create an extra routing table on each client, which changes the route only for the clients in the same subnet?

Clients in the same subnet already have said route ...

[julian533]

or route outside the VPN for local traffic.

That is exactly what I am asking for. But how can I achieve that the 2 clients in the local network do not go over the VPN. My problem is that Kubernetes uses the VPN network. Do I need to create special routing rules for the addresses? So on each client one rule for the other?

[TinCanTech]

Perhaps you can show your current routing .. here is a starter:
viewtopic.php?f=30&t=22603

[julian533]

These are the current routing rules on the first VM:

Code: Select all

default via 10.156.0.1 dev ens4 proto dhcp src 10.156.0.5 metric 100 
10.8.0.0/24 via 10.8.0.9 dev tun0 
10.8.0.9 dev tun0 proto kernel scope link src 10.8.0.10 
10.32.0.0/12 dev weave proto kernel scope link src 10.44.0.0 
10.156.0.1 dev ens4 proto dhcp scope link src 10.156.0.5 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.156.0.1      0.0.0.0         UG    100    0        0 ens4
10.8.0.0        10.8.0.9        255.255.255.0   UG    0      0        0 tun0
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.32.0.0       0.0.0.0         255.240.0.0     U     0      0        0 weave
10.156.0.1      0.0.0.0         255.255.255.255 UH    100    0        0 ens4
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

My Kubernetes Clusters spans a peer network across the machines as follows:

Code: Select all

72:88:1a:16:f9:2a(w-robolab-p10)
   -> 10.8.0.26:6783        2e:5a:c8:db:5a:10(w-robolab-p03)      established
   <- 10.8.0.10:33281       e6:e4:ab:96:b2:9a(kubernetes-node-1)  established
   <- 10.8.0.22:53317       72:19:16:ad:95:b6(kubernetes-master)  established
   <- 10.8.0.14:60713       1e:f3:3d:aa:b1:a6(kubernetes-node-2)  established
1e:f3:3d:aa:b1:a6(kubernetes-node-2)
   -> 10.8.0.10:6783        e6:e4:ab:96:b2:9a(kubernetes-node-1)  established
   -> 10.8.0.22:6783        72:19:16:ad:95:b6(kubernetes-master)  established
   -> 10.8.0.26:6783        2e:5a:c8:db:5a:10(w-robolab-p03)      established
   -> 10.8.0.30:6783        72:88:1a:16:f9:2a(w-robolab-p10)      established
72:19:16:ad:95:b6(kubernetes-master)
   -> 10.8.0.10:6783        e6:e4:ab:96:b2:9a(kubernetes-node-1)  established
   -> 10.8.0.30:6783        72:88:1a:16:f9:2a(w-robolab-p10)      established
   <- 10.8.0.14:51359       1e:f3:3d:aa:b1:a6(kubernetes-node-2)  established
   -> 10.8.0.26:6783        2e:5a:c8:db:5a:10(w-robolab-p03)      established
2e:5a:c8:db:5a:10(w-robolab-p03)
   <- 10.8.0.10:38553       e6:e4:ab:96:b2:9a(kubernetes-node-1)  established
   <- 10.8.0.22:53415       72:19:16:ad:95:b6(kubernetes-master)  established 
   <- 10.8.0.14:42489       1e:f3:3d:aa:b1:a6(kubernetes-node-2)  established
   <- 10.8.0.30:44891       72:88:1a:16:f9:2a(w-robolab-p10)      established
e6:e4:ab:96:b2:9a(kubernetes-node-1)
   -> 10.8.0.26:6783        2e:5a:c8:db:5a:10(w-robolab-p03)      established
   -> 10.8.0.30:6783        72:88:1a:16:f9:2a(w-robolab-p10)      established
   <- 10.8.0.22:52881       72:19:16:ad:95:b6(kubernetes-master)  established
   <- 10.8.0.14:57599       1e:f3:3d:aa:b1:a6(kubernetes-node-2)  established

I would like to change the routing rules now so that packets going from VM1VM1(10.8.0.10) to VM2 (10.8.0.14) do not use dev tun0 but are routed through 10.156.0.1 dev ens4. If this were possible I could use the peer-to-peer network of Kubernetes so that packets in the same subnet are not routed through the VM. If you could give me an idea of how to do this, you would help me a lot!