Push route or route doens't work when multiple routing options

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
Shwele
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 30, 2021 8:47 am

Push route or route doens't work when multiple routing options

Post by Shwele » Fri May 07, 2021 12:35 pm

Greetings

I've succesfully setup openvpn to use all trafic over it, but some colleagues are complaning that proper routing need to be setup.
I've setup OpenVPN via official howto:
https://openvpn.net/community-resources/how-to/

And I've setup basic routing via this example to serve all internet access via VPN:
https://arashmilani.com/post?id=53

I would like to setup internet usage over eth0 from my internet provider and usage of tun0 only for certain IP addresses. How can one acomplish that?

I tried adding route-nopull to the client config but it seems to not work when there is more then one route.

There are total 12 different possible routes to over 20 servers I've tried to incorporate.
I've censored IP's with x and y in client.conf. Bellow is server.conf and client.conf

Server Config

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1


Client Config

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
route-nopull
route xxx.xxx.xxx.0 255.255.255.0
route yyy.yyy.yyy.0 255.255.255.0 ;(when turned on, first ip doesn't work and this one as well, it just uses default IP from eth0)
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 3
<ca>
...
...
...


TLDR: I just want to setup to route all server access via VPN and all non server access via my internet so people in my company can use.

Thanks in advance to all who help

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Push route or route doens't work when multiple routing options

Post by TinCanTech » Fri May 07, 2021 2:11 pm

Shwele wrote:
Fri May 07, 2021 12:35 pm
There are total 12 different possible routes to over 20 servers I've tried to incorporate.
Does not equal
Shwele wrote:
Fri May 07, 2021 12:35 pm
TLDR: I just want to setup to route all server access via VPN and all non server access via my internet so people in my company can use
What you want is complicated and cannot be done in a simple server setup.

You need --client-config-dir so that each of your clients can be setup the way you want.

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Push route or route doens't work when multiple routing options

Post by 300000 » Fri May 07, 2021 10:52 pm

If there are many people using openvpn and you want very complicated so you need to make it work as individual client config and push route as you like. here is a example for you to make it and you can create as many as client you like.

first each client have its owe certificate , the name of certificate will be scanned by openvpn server so openvpn server will know which one to sent which route to apply..

just create a folder name cliens and add this line to openvpn server config

linux use
client-config-dir /etc/openvpn/clients

on windows use this
client-config-dir C:\\Program Files\\OpenVPN\\clients

let say you have one client which you create a certificate name as client1. and I am going to say you got two subnet as 192.168.20.0 and 192.168.30.0 . you want client1 use full subnet 192.168.20.0 and internet mean it use over vpn and client1 use 192.168.30.0 only . all the other thing will use client internet gateaway so it dont use a lot bandwith from your openvpn server.

create a file name client1 without extension .remember name of file must be the same name of cerfiticate or it not going to work for you. open that file and adding as follow.

this push to client all internet and subnet use.

push "route 192.168.20.0 255.255.255.0 vpn_gateway "

this is for subnet 192.168.30.0 only . all internet go client getaway.

push "route 192.168.30.0 255.255.255.0 "

if you want to ban user use 87.23.78.0 your openvpn server as bypass restriction so this push will use client gateway and cant go through your openvpn server.

push "route 87.23.78.0 255.255.255.252 net_gateway "


this one is let client use you openvpn server as gateway so he can secure connet to

push "route 76.67.45.2 255.255.255.252 vpn_gateway "

that is all you need when client 1 connect to server . server will sent push "route 192.168.20.0 255.255.255.0 vpn_gateway " route to client.

so many situation can make it work as you like and if you can apply correct.

Post Reply