Route all traffic through VPN

Post Reply
e-Ra
OpenVpn Newbie
Posts: 9
Joined: Mon Oct 23, 2017 9:33 pm

Route all traffic through VPN

Post by e-Ra » Thu Jan 17, 2019 1:53 pm

Hi,

I followed the instructions of https://openvpn.net/community-resources ... /#redirect to enable the possibility for routing all clients traffic through the VPN. I don't want to enable the feature in the AS GUI because this should only be possible for some users with modified client config (redirect-gateway) but not for all users by default. But I can reach only the allowed networks on the server side and the router but can't get outside. Is it really enough to just masquerade the VPN subnet? (iptables -t nat -A POSTROUTING -s <VPN_SUBNET> -o eth0 -j MASQUERADE).

Thanks

novaflash
I should be on the dev team.
Posts: 950
Joined: Fri Apr 13, 2012 8:43 pm

Re: Route all traffic through VPN

Post by novaflash » Fri Jan 18, 2019 12:30 pm

If you only want this for one or two users, use access control on that user, and add these 2 subnets:
0.0.0.0/1
128.0.0.0/1

e-Ra
OpenVpn Newbie
Posts: 9
Joined: Mon Oct 23, 2017 9:33 pm

Re: Route all traffic through VPN

Post by e-Ra » Fri Jan 18, 2019 5:20 pm

novaflash wrote:
Fri Jan 18, 2019 12:30 pm
If you only want this for one or two users, use access control on that user, and add these 2 subnets:
0.0.0.0/1
128.0.0.0/1
Yes, it's just for a small group of users and therefore a possible solution.
After I added the two subnets I figured out that the user's traffic is always routed through the VPN (regardless of redirect-gateway option).
What I want is the possibility to modify the client's config file (on the client append redirect-gatway option) in such a way that the user can then choose to route all the traffic to the VPN or just the related traffic. The default client config should be to route not all traffic through the VPN.

novaflash
I should be on the dev team.
Posts: 950
Joined: Fri Apr 13, 2012 8:43 pm

Re: Route all traffic through VPN

Post by novaflash » Fri Jan 18, 2019 5:23 pm

To do that you must enable the function to redirect all traffic through the VPN server, then use a command line override to disable pushing those routes to the users, and then manually add them in again on the client side.

e-Ra
OpenVpn Newbie
Posts: 9
Joined: Mon Oct 23, 2017 9:33 pm

Re: Route all traffic through VPN

Post by e-Ra » Fri Jan 18, 2019 6:06 pm

I enabled the general option (route all traffic through VPN) from the GUI and added '-redirect-gateway' (starting with minus sign to remove this option) to the 'Client Config Directives' in the 'Additional OpenVPN Config Directives (Advanced)' tab. I downloaded the new config file and appended 'redirect-gateway' but only the related traffic is routed through the VPN.
Do I have to remove additional options from the config file? Nevertheless the default behavior is good (only related traffic is routed through VPN).

novaflash
I should be on the dev team.
Posts: 950
Joined: Fri Apr 13, 2012 8:43 pm

Re: Route all traffic through VPN

Post by novaflash » Fri Jan 18, 2019 6:17 pm

Not sure what you meant by related traffic, but probably subnets you defined elsewhere in Access Server to push to your VPN clients.

You can't really block those unless you want to block all parameters and I would not advise that.

Or you could like just remove those rules from your configuration on the access server I guess, and then manually implement it.

e-Ra
OpenVpn Newbie
Posts: 9
Joined: Mon Oct 23, 2017 9:33 pm

Re: Route all traffic through VPN

Post by e-Ra » Fri Jan 18, 2019 6:31 pm

I mean traffic to the server-side private subnet. Maybe this was a misunderstanding, I don't want to block private subnets on the server-side.
I want the possibility that the client can choose whether to route all the traffic through VPN or just related traffic (traffic to server-side private subnets).
The traffic which can't be routed to a server-side private subnet should be forwarded to the standard route/gateway of the server and is then processed by a router. The goal is to have the possibility to browse the internet from the client side through the VPN (if needed). But the default behavior should be to route just traffic to server-side private subnets. The server-side private subnets must be always reachable.

novaflash
I should be on the dev team.
Posts: 950
Joined: Fri Apr 13, 2012 8:43 pm

Re: Route all traffic through VPN

Post by novaflash » Fri Jan 18, 2019 6:37 pm

If I read you correctly, then you now have the situation you wanted?

e-Ra
OpenVpn Newbie
Posts: 9
Joined: Mon Oct 23, 2017 9:33 pm

Re: Route all traffic through VPN

Post by e-Ra » Sat Jan 19, 2019 9:50 am

No, not yet. I think the last post clarifies what I want:
The goal is to have the possibility to browse the internet from the client side through the VPN (if needed). But the default behavior should be to route just traffic to server-side private subnets. The server-side private subnets must be always reachable.
The client user should manage this by appending the 'redirect-gateway' option (maybe other options to append/remove necessary) to his client config file if all the traffic should go through the VPN. Otherwise he just uses the unmodified config file.

I hope it's now more clear?

novaflash
I should be on the dev team.
Posts: 950
Joined: Fri Apr 13, 2012 8:43 pm

Re: Route all traffic through VPN

Post by novaflash » Sat Jan 19, 2019 10:02 am

I really suggest you send in a support ticket.

e-Ra
OpenVpn Newbie
Posts: 9
Joined: Mon Oct 23, 2017 9:33 pm

Re: Route all traffic through VPN

Post by e-Ra » Sat Jan 19, 2019 12:41 pm

Okay, thank you.
I am wondering why this configuration seems so unusual.

e-Ra
OpenVpn Newbie
Posts: 9
Joined: Mon Oct 23, 2017 9:33 pm

Re: Route all traffic through VPN

Post by e-Ra » Mon Jan 21, 2019 11:39 am

I figured out that your advise
To do that you must enable the function to redirect all traffic through the VPN server, then use a command line override to disable pushing those routes to the users, and then manually add them in again on the client side.
is indeed correct when using the OpenVPN GUI software to connect to the VPN.
But the OpenVPN Connect software seems not to respect the override.

novaflash
I should be on the dev team.
Posts: 950
Joined: Fri Apr 13, 2012 8:43 pm

Re: Route all traffic through VPN

Post by novaflash » Mon Jan 21, 2019 11:44 am

I suppose that's possible, the OpenVPN Connect Client does tend to remove manual entries that could be considered "insecure" or contrary to what the server is configured for. In that case for your scenario you'll have to use the OpenVPN GUI program. Or configure a group with redirect-gw enabled and the other disabled, and create 2 user accounts, and switch between those.

Post Reply