Hello,
Looking to have the routes controlled via the open vpn server and pushed to clients.
I'd like to have VPN clients connecting more as part of firewall restrictions ie. having my services locked down to only be accessible via my openvpn server IP.
How would i configure the openvpn server.conf if I essentially only want clients to go via the VPN for several specific IP ranges? Everything else, should utilise their normal internet connectivity and not the VPN...
Pushing Routes from the Server question
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Wed Aug 15, 2018 4:04 am
-
- OpenVpn Newbie
- Posts: 4
- Joined: Wed Aug 15, 2018 4:04 am
Re: Pushing Routes from the Server question
maybe i should clarify....
If i would like users of my VPN to be able to access say several single public IP ranges like x.x.x.x/32 through the VPN IP, but have it not be used for any other locations they access ie. for my ranges they show the VPN IP and if they are off to elsewhere on the internet, they access using their own ISP.... is this possible server side??
I know you can push private routes from the server but im wondering about this example above.
I believe I'm currently achieving by specifying the following in the client side .ovpn profile:
route-nopull
route x.x.x.x 255.255.255.0
route x.x.x.y 255.255.255.0
route x.x.x.z 255.255.255.0
It's my understanding this is allowing traffic to only route via the VPN for those particular IP's... is this the case? and now, is this something i can push from the server itself, to stop employees potentially changing their profile and to route everything via the VPN?
Also is it possible to do with IP ranges eg. a /28, rather than singular ips?
I've tried adding those lines to the server.conf and nothing works.
If i would like users of my VPN to be able to access say several single public IP ranges like x.x.x.x/32 through the VPN IP, but have it not be used for any other locations they access ie. for my ranges they show the VPN IP and if they are off to elsewhere on the internet, they access using their own ISP.... is this possible server side??
I know you can push private routes from the server but im wondering about this example above.
I believe I'm currently achieving by specifying the following in the client side .ovpn profile:
route-nopull
route x.x.x.x 255.255.255.0
route x.x.x.y 255.255.255.0
route x.x.x.z 255.255.255.0
It's my understanding this is allowing traffic to only route via the VPN for those particular IP's... is this the case? and now, is this something i can push from the server itself, to stop employees potentially changing their profile and to route everything via the VPN?
Also is it possible to do with IP ranges eg. a /28, rather than singular ips?
I've tried adding those lines to the server.conf and nothing works.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Pushing Routes from the Server question
You can push any valid routes from the server and the client can pull them.
However, OpenVPN Community Edition has no mechanism to lock the user profile.
So a smart user could over ride your server settings and use their own.
You probably need a professional product Like OpenVPN Access Server.
However, OpenVPN Community Edition has no mechanism to lock the user profile.
So a smart user could over ride your server settings and use their own.
You probably need a professional product Like OpenVPN Access Server.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Wed Aug 15, 2018 4:04 am
Re: Pushing Routes from the Server question
ah ok that makes sense.. taking that out of the equation though, what should i configure in the server.conf if i only want clients to route via the VPN for a single ip, everything else should use their own local connection..
eg. browsing to x.x.x.x goes via the VPN IP, but browsing to google.com goes via the clients own IP for example... i cant seem to get this working.
eg. browsing to x.x.x.x goes via the VPN IP, but browsing to google.com goes via the clients own IP for example... i cant seem to get this working.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Pushing Routes from the Server question
These are mutually exclusive ..