Pushing Routes from the Server question

autonomy · Post by **autonomy** » Wed Aug 15, 2018 4:09 am

Hello,

Looking to have the routes controlled via the open vpn server and pushed to clients.

I'd like to have VPN clients connecting more as part of firewall restrictions ie. having my services locked down to only be accessible via my openvpn server IP.

How would i configure the openvpn server.conf if I essentially only want clients to go via the VPN for several specific IP ranges? Everything else, should utilise their normal internet connectivity and not the VPN...

autonomy · Post by **autonomy** » Thu Aug 16, 2018 4:53 am

maybe i should clarify....

If i would like users of my VPN to be able to access say several single public IP ranges like x.x.x.x/32 through the VPN IP, but have it not be used for any other locations they access ie. for my ranges they show the VPN IP and if they are off to elsewhere on the internet, they access using their own ISP.... is this possible server side??

I know you can push private routes from the server but im wondering about this example above.

I believe I'm currently achieving by specifying the following in the client side .ovpn profile:

route-nopull
route x.x.x.x 255.255.255.0
route x.x.x.y 255.255.255.0
route x.x.x.z 255.255.255.0

It's my understanding this is allowing traffic to only route via the VPN for those particular IP's... is this the case? and now, is this something i can push from the server itself, to stop employees potentially changing their profile and to route everything via the VPN?

Also is it possible to do with IP ranges eg. a /28, rather than singular ips?

I've tried adding those lines to the server.conf and nothing works.

TinCanTech · Post by **TinCanTech** » Thu Aug 16, 2018 10:42 am

You can push any valid routes from the server and the client can pull them.
However, OpenVPN Community Edition has no mechanism to lock the user profile.
So a smart user could over ride your server settings and use their own.

You probably need a professional product Like OpenVPN Access Server.

autonomy · Post by **autonomy** » Mon Aug 20, 2018 12:21 am

ah ok that makes sense.. taking that out of the equation though, what should i configure in the server.conf if i only want clients to route via the VPN for a single ip, everything else should use their own local connection..

eg. browsing to x.x.x.x goes via the VPN IP, but browsing to google.com goes via the clients own IP for example... i cant seem to get this working.

TinCanTech · Post by **TinCanTech** » Mon Aug 20, 2018 12:33 am

autonomy wrote: ↑
Wed Aug 15, 2018 4:09 am
Looking to have the routes controlled via the open vpn server and pushed to clients

autonomy wrote: ↑
Thu Aug 16, 2018 4:53 am
I believe I'm currently achieving by specifying the following in the client side .ovpn profile:

route-nopull
route x.x.x.x 255.255.255.0
route x.x.x.y 255.255.255.0
route x.x.x.z 255.255.255.0

It's my understanding

These are mutually exclusive ..

OpenVPN Support Forum

Pushing Routes from the Server question

Pushing Routes from the Server question

Re: Pushing Routes from the Server question

Re: Pushing Routes from the Server question

Re: Pushing Routes from the Server question

Re: Pushing Routes from the Server question