Routing only certain public IP's through VPN

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Tue Nov 05, 2019 5:22 am

Routing only certain public IP's through VPN

Post by ronreactcs » Tue Nov 05, 2019 5:30 am

I am trying to figure out how to route only certain public IP addresses as well as private IP's through the VPN (I do not want to route all public IP destinations through the VPN).

How does one go about configuring this in OpenVPN-AS? In the admin page there is a setting to route ALL internet traffic through the VPN (which works). But I'm not tracking how one goes about routing only some internet traffic through the VPN.

I've tried using route in the client config but the settings don't seem to be picked up (added route-nopull and route <destination ip address> to the client config).

Any guidance is appreciated. Thanks in advance

OpenVpn Newbie
Posts: 1
Joined: Tue Oct 12, 2021 7:14 pm

Re: Routing only certain public IP's through VPN

Post by egutierrez_osigu » Tue Oct 12, 2021 7:24 pm

I had the same scenario and since someone might find this in the future here is what you have to do.
1) Heads up this works on the OpenVPN-AS deployed in AWS, don't know about other versions.
2) Login to the admin console and go directly to Configuration -> VPN Settings and scroll down to Routing
3) You may have routing set the option Should VPN clients have access to private subnets (non-public networks on the server side)? to Yes, using Routing, change this to Yes, using NAT don't worry this will work as before on the next 2 steps
4) Make sure the option Specify the private subnets to which all clients should be given access (one per line): you fill it with both private and public addresses you want to route via the VPN.
5) Make sure you click Save Settings at the bottom but do not update the server just yet.
6) Navigate to Configuration -> Advanced VPN and scroll down to the option List of private subnets (one per line), which should be reachable via routing instead of NAT:
7) Fill in this text block only the private subnets of the step 4. Here is where the configuration returns back to normal as all this subnets will not be NAT'ed
8) Click Save Settings at the bottom and this time do click Update the running server at the top of the page.

That's all you need to NAT specific public addresses and normally route private subnets.

Hope this helps someone in the future

Post Reply