Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

How to customize and extend your OpenVPN installation.
Post Reply
piashaw
OpenVpn Newbie
Posts: 7
Joined: Thu May 10, 2018 9:01 am

Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by piashaw » Thu May 10, 2018 9:34 am

HI,

If in principle this is possible I can send all my config files.

I have OpenVPN working and can connect to it remotely. I have two options working:
1) just accessing the remote server lan devices only
2) using "redirect-gateway def1" in the client config I can push ALL data throught the VPN and this works. I then have both remote internet and server lan access.

I am now trying to set up a third option. Similar to version 2 for certain clients where they will NOT be able to have access to the server lan.

The issue I am facing is that the server is on a Synology NAS and is behind an ISP provided Router (UPC)

ie Router UPC 192.168.100.1
Synology Server (OpenVPN) 192.168.100.2
Other Server Lan devices 192.168.10.3.........
Normal VPN adresses are 10.8.0.....

Using https://openvpn.net/index.php/open-sour ... tml#policy I have managed to get the clients which I don't want to have server LAN access onto 10.8.1..... using "ifconfig-push 10.8.1.1 10.8.1.2" in the CCD directory.

Is there anyway I can actually achieve what I want when the Server is NOT The router and that All traffic goes out ontot the WAN and not via the router back onto the local net? Obviously if the server was the router I could redirect the traffic through the relevant interface.

Thanks

johnsoninnyc
OpenVpn Newbie
Posts: 2
Joined: Mon May 07, 2018 7:04 pm

Re: Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by johnsoninnyc » Thu May 10, 2018 9:08 pm

Add this to the client config:

route 192.168.0.0 255.255.255.0 net_gateway

this would block ip’s 192.168.0.1 thru 192.168.0.253

I just tested on my setup and it worked.

The block functions by sending these out the local gateway instead of over the vpn.

this does not interrupt (or get overridden by) “redirect-gateway” because it is a more specific route than the two routes established which serve to achieve redirect-gateway option. and more specific routes take priority.

piashaw
OpenVpn Newbie
Posts: 7
Joined: Thu May 10, 2018 9:01 am

Re: Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by piashaw » Fri May 11, 2018 9:11 am

Many thanks indeed.

Worked a treat. Much simpler that I had expected........

So Glad thre are so many experts on this Forum.

I ended using a push "route ......" in the CCD for that user.

Thanks again also for the explanation as to why ity works!

piashaw
OpenVpn Newbie
Posts: 7
Joined: Thu May 10, 2018 9:01 am

Re: Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by piashaw » Fri May 11, 2018 10:32 am

MAybe you can help on a small isuue I still have......
I wrote the push command into the CCD directory and it works, but then each time it gets overwritten with
ifconfig-push 10.8.0.6 255.255.255.0 adn so nect time it doesn't work as expected again.

Pippin
OpenVPN Expert
Posts: 339
Joined: Wed Jul 01, 2015 8:03 am

Re: Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by Pippin » Fri May 11, 2018 11:21 am

It gets overwritten by radius.
To avoid that, edit

Code: Select all

/volume1/@appstore/VPNCenter/etc/openvpn/radiusplugin.cnf
and change

Code: Select all

overwriteccfiles=true
to

Code: Select all

overwriteccfiles=false
If ^that^ doesn`t work, post up your complete openvpn.conf and ccd files.

Now you`re at "hacking" your way through Synology`s configuration anyway, you might as well switch to --topology subnet.
Last edited by Pippin on Fri May 11, 2018 12:34 pm, edited 1 time in total.

piashaw
OpenVpn Newbie
Posts: 7
Joined: Thu May 10, 2018 9:01 am

Re: Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by piashaw » Fri May 11, 2018 12:08 pm

Thanks Pippin,

that appears to have solved it. Unbelieveable that it overwrote the files even though I had chmod 444 on them!!

Now I'll have to look into your --topology suggestion, but at least I have what I need now!

piashaw
OpenVpn Newbie
Posts: 7
Joined: Thu May 10, 2018 9:01 am

Re: Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by piashaw » Wed May 16, 2018 9:32 pm

Hi again Pippin,

I now re did my system on a Raspberry pi additionally using stunnel to try and fool DPI. I have the issue again that I cannot block the local LAN using the ccd as before.

The OpenVPN log shows that route is being always created to pass the traffic

Code: Select all

Wed May 16 23:24:00 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 91.239.100.100,dhcp-option DNS 208.67.222.222,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 120,route 192.168.178.0 255.255.255.0 net_gateway,ifconfig 10.8.0.10 10.8.0.9,peer-id 0,cipher AES-256-GCM'
Wed May 16 23:24:00 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed May 16 23:24:00 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed May 16 23:24:00 2018 OPTIONS IMPORT: route options modified
Wed May 16 23:24:00 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed May 16 23:24:00 2018 OPTIONS IMPORT: peer-id set
Wed May 16 23:24:00 2018 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed May 16 23:24:00 2018 OPTIONS IMPORT: data channel crypto options modified
Wed May 16 23:24:00 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed May 16 23:24:00 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May 16 23:24:00 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May 16 23:24:00 2018 interactive service msg_channel=900
Wed May 16 23:24:00 2018 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 I=16 HWADDR=18:60:24:16:e9:4c
Wed May 16 23:24:00 2018 open_tun
Wed May 16 23:24:00 2018 TAP-WIN32 device [Ethernet 6] opened: \\.\Global\{E384BAE4-A277-4669-B536-69F24842B824}.tap
Wed May 16 23:24:00 2018 TAP-Windows Driver Version 9.21 
Wed May 16 23:24:00 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.10/255.255.255.252 on interface {E384BAE4-A277-4669-B536-69F24842B824} [DHCP-serv: 10.8.0.9, lease-time: 31536000]
Wed May 16 23:24:00 2018 Successful ARP Flush on interface [28] {E384BAE4-A277-4669-B536-69F24842B824}
Wed May 16 23:24:00 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed May 16 23:24:00 2018 MANAGEMENT: >STATE:1526505840,ASSIGN_IP,,10.8.0.10,,,,
Wed May 16 23:24:00 2018 Blocking outside dns using service succeeded.
Wed May 16 23:24:05 2018 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up
Wed May 16 23:24:05 2018 C:\WINDOWS\system32\route.exe ADD 127.0.0.1 MASK 255.255.255.255 192.168.178.1
Wed May 16 23:24:05 2018 Route addition via service succeeded
Wed May 16 23:24:05 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.9
Wed May 16 23:24:05 2018 Route addition via service succeeded
Wed May 16 23:24:05 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.9
Wed May 16 23:24:05 2018 Route addition via service succeeded
Wed May 16 23:24:05 2018 MANAGEMENT: >STATE:1526505845,ADD_ROUTES,,,,,,
Wed May 16 23:24:05 2018 C:\WINDOWS\system32\route.exe ADD 77.56.146.244 MASK 255.255.255.255 192.168.178.1
Wed May 16 23:24:05 2018 Route addition via service succeeded
Wed May 16 23:24:05 2018 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.9
Wed May 16 23:24:05 2018 Route addition via service succeeded
Wed May 16 23:24:05 2018 C:\WINDOWS\system32\route.exe ADD 192.168.178.0 MASK 255.255.255.0 192.168.178.1
Wed May 16 23:24:05 2018 Route addition via service succeeded
Wed May 16 23:24:05 2018 Initialization Sequence Completed
Wed May 16 23:24:05 2018 MANAGEMENT: >STATE:1526505845,CONNECTED,SUCCESS,10.8.0.10,127.0.0.1,1337,127.0.0.1,50388
My server conf is:

Code: Select all

dev tun
proto tcp
port 1194

#push "route 192.168.178.0 255.255.255.0"
#push "route 10.8.0.0 255.255.255.0"

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_YAPdB5A2CuDWglzS.crt
key /etc/openvpn/easy-rsa/pki/private/server_YAPdB5A2CuDWglzS.key
dh none
#topology subnet
server 10.8.0.0 255.255.255.0


client-config-dir /etc/openvpn/ccd


# Set your primary domain name server address for clients

push "dhcp-option DNS 91.239.100.100"
push "dhcp-option DNS 208.67.222.222"

# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
#push "redirect-gateway def1"
#client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
sndbuf 0
rcvbuf 0
and client conf

Code: Select all

client
dev tun
proto tcp
remote 127.0.0.1 1337
route myserver.dyn.address 255.255.255.255 net_gateway
resolv-retry infinite
nobind
tun-mtu 1500
#tun-mtu-extra 32
mssfix 1450
sndbuf 0
rcvbuf 0
persist-key
persist-tun

redirect-gateway def1

auth-nocache
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_Abcd6768YWglzS name
cipher AES-256-CBC
auth SHA256
compress lz4
verb 3
Thanks

I can forward teh stunnel set up if of any use

piashaw
OpenVpn Newbie
Posts: 7
Joined: Thu May 10, 2018 9:01 am

Re: Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by piashaw » Thu May 17, 2018 8:34 am

It is working now as expected, a restart somewhere along the line has got it working as expected....

Apologies for the confusion.

piashaw
OpenVpn Newbie
Posts: 7
Joined: Thu May 10, 2018 9:01 am

Re: Routing ALL VPN traffic direct to WAN, no lan access. Server is not on the Router

Post by piashaw » Thu May 17, 2018 3:38 pm

I spoke too soon. Works with OpenVPN client on a windows computer through stunnel but NOT on an android using openvpnconnect and SSLDroid.

Post Reply