Full or Split Tunnel Profiles?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
thewolf
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 30, 2021 9:53 pm

Full or Split Tunnel Profiles?

Post by thewolf » Thu Jul 01, 2021 1:42 am

Hi, I am looking to replace our small office remote access solution with OpenVPN Access server. I’ve setup a VM instance of Access server as a trial with just the basic configs.

The issue I am having is figuring out full and split tunnel configs for certain profiles. Ideally we would like a split tunnel for some employees and a full tunnel for others. I am surprised that this isn't an easier setting, our current solution it's just a tick box under each profile.

I have seen examples of adding pull-filter ignore "redirect-gateway" to the client file but my server config is set to tunnel all traffic and has no push redirect-gateway line in the server.conf. I have not had any luck trying any of the examples I have found.

What would be the correct way of doing this with the Access Server setup? Could Full or Split tunnel configs be assigned as a group?

Thanks!

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 296
Joined: Tue Feb 16, 2021 10:41 am

Re: Full or Split Tunnel Profiles?

Post by openvpn_inc » Thu Jul 01, 2021 8:25 am

Hello thewolf,

Yes, it can be assigned as a group setting, but there's no tickbox for it in the Admin UI.

You can enable redirecting client Internet traffic globally in the VPN server under Configuration > VPN Settings > Redirect client Internet traffic through the VPN server. This enables it for everyone on the server unless otherwise specified. That means by default it is full-tunnel redirection for all users.

You can create a group under Group Permissions. Next, run a command line option to set a property on this group that turns off Internet redirection for this group. Any users part of this group will then inherit that setting and will be split-tunnel. So from now on from the Admin UI you can assign a user to that group and it will inherit that setting.

Since usually when you redirect Internet traffic you likely also want to push a DNS server (also in VPN Settings page), we have 2 different options. The commands must be run as root user:

Disable redirection of Internet traffic, and don't push DNS servers:

Code: Select all

cd /usr/local/openvpn_as/scripts/
./sacli --user <USER_OR_GROUP> --key "prop_reroute_gw_override" --value "disable" UserPropPut
Disable redirection of Internet traffic, but still push DNS servers:

Code: Select all

cd /usr/local/openvpn_as/scripts/
./sacli --user <USER_OR_GROUP> --key "prop_reroute_gw_override" --value "dns_only" UserPropPut
And to reload the configuration so Access Server will actually apply these new settings in the configuration:

Code: Select all

./sacli start
Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

thewolf
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 30, 2021 9:53 pm

Re: Full or Split Tunnel Profiles?

Post by thewolf » Thu Jul 01, 2021 7:00 pm

Thanks Johan,

I am not sure how, but I must admit I somehow convinced myself that the command line scripts were for custom device integration support. Like consumer routers with VPN built in.

After your solution and a more thorough read of the wonderful resource guides I am up and running.

Thanks!

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 296
Joined: Tue Feb 16, 2021 10:41 am

Re: Full or Split Tunnel Profiles?

Post by openvpn_inc » Fri Jul 02, 2021 7:12 am

Hello thewolf,

Glad to hear you were able to get things configured the way you wanted.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

KruseLudington
OpenVpn Newbie
Posts: 1
Joined: Sun Aug 01, 2021 12:07 am

Config for bypass from client side

Post by KruseLudington » Sun Aug 01, 2021 12:28 am

Please forgive the dumb questions, but complete newbie here... I am using a VPN provider and connecting to them via OpenVPN from our router as client.

Due to some weird constraints we are unable do a few of these things outside of OpenVPN -

Can I set a global setting in our router (in the OpenVPN config file) such that all internet bound traffic on our internal network still goes through the VPN EXCEPT BYPASSES THE VPN and goes directly into the local isp's internet connection for the below specified cases?

1. From a specific IP address (stopping that client from ever routing through the vpn)

2. Only when accessing a specific URL (all other traffic should go through the VPN but VPN not to be used when browsing specified urls or URL's with specified keywords - would bypass the vpn and go directly to the internet locally)

2. Traffic sent by specific applications (I specify which applications) which would always bypass the vpn (OS's running those apps being IOS, Android Apple OS and Windows)?

Lastly, if I am way off base then can someone set me straight and at least point me towards a sophisticated windows or Android client that has an app with a UI which will allow me to configure all the client side OpenVPN settings that I can save into an ovpn file to upload to the router for the client settings to our vpn provider (or if the ovpn file is just a text file then a simple listing somewhere of all settings that can be set on the client side such as those listed above and whatever else there may be?)

chilinux
OpenVPN Power User
Posts: 122
Joined: Thu Mar 28, 2013 8:31 am

Re: Full or Split Tunnel Profiles?

Post by chilinux » Sun Aug 01, 2021 10:08 am

KruseLudington, your question is not related to the OpenVPN Access Server product. What is running on your router is the community edition of OpenVPN.

What you are asking for is "policy-based routing" such that a source IP or specific network port is used as the basis to route the packets. That is not something done completely self-contained in an ovpn file. The ovpn file can call external scripts for when the openvpn connection is brought "up" or brought "down." It would then be those external scripts to establish policy-based routing. But those scripts themselves are not stored directly in the ovpn file.

You also seem to be looking for performing routing based on URL analysis. This would be accomplished by a web proxy application which would run external to the OpenVPN application itself.

The OpenVPN configuration file route commands are strictly traditional *destination* based IP routing only.

Figuring out what policy-based routing your unspecified router is capable of and how to author the 'up' script for it falls outside of the scope of the OpenVPN Access Server section of this forum. I would recommend you contact the support of the unspecified manufacturer of the router to find out more regarding the "global settings" features they provide.

Post Reply