Route everything through VPN but maintain connectivity to client's LAN

[articulatedrowning]

I would like to route internet traffic and addresses in my OpenVPN server's LAN through the VPN, but allow traffic to the client's LAN to work normally.

I'm currently using "redirect-gateway" to get the functionality of the former, but that then breaks client LAN connectivity. I don't have control over the client's LAN, so I'd like to accomplish this in a general way: Route all RFC1918 addresses locally, except for ones I define as existing on the VPN side.

Is the best way to do this to get rid of the redirect-gateway and add routes for all addresses excluding the RFC1918 addresses, or is there a simpler way?

Thanks for any help.

[300000]

You need to write all config on client and subnet that want to use first witout writing anything and nobody knows how you want it work.

[articulatedrowning]

I'm not sure I understand your meaning but I'll try to be as specific as possible and include my config below. I want all traffic to go through the VPN, excluding RFC1918 addresses. But, I want RFC1918 addresses that exist on the VPN server side (in my case this is 10.123.1.0/24, 10.123.2.0/24) as well as other VPN clients (10.123.3.0/24) to go through the VPN. I believe I have this working already in the config below (though I haven't had a chance to test if RFC1918 addresses stay local), but it seems like there must be a more "elegant" way.

Code: Select all

client-to-client
persist-key
persist-tun
tls-server
ca /etc/config/openvpn-config/pki/ca.crt
cert /etc/config/openvpn-config/pki/issued/server.crt
comp-lzo yes
dev tun
dh /etc/config/openvpn-config/pki/dh.pem
group nogroup
keepalive 10 120
key /etc/config/openvpn-config/pki/private/server.key
log /tmp/openvpn.log
mode server
mute 5
port 11940
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "user nobody"
push "user nogroup"
push "route-gateway dhcp"
push "topology subnet"
push "route 0.0.0.0 248.0.0.0"
push "route 8.0.0.0 254.0.0.0"
push "route 11.0.0.0 255.0.0.0"
push "route 12.0.0.0 252.0.0.0"
push "route 16.0.0.0 240.0.0.0"
push "route 32.0.0.0 224.0.0.0"
push "route 64.0.0.0 192.0.0.0"
push "route 128.0.0.0 224.0.0.0"
push "route 160.0.0.0 248.0.0.0"
push "route 168.0.0.0 252.0.0.0"
push "route 172.0.0.0 255.240.0.0"
push "route 172.32.0.0 255.224.0.0"
push "route 172.64.0.0 255.192.0.0"
push "route 172.128.0.0 255.128.0.0"
push "route 173.0.0.0 255.0.0.0"
push "route 174.0.0.0 254.0.0.0"
push "route 176.0.0.0 240.0.0.0"
push "route 192.0.0.0 255.128.0.0"
push "route 192.128.0.0 255.224.0.0"
push "route 192.160.0.0 255.248.0.0"
push "route 192.169.0.0 255.255.0.0"
push "route 192.170.0.0 255.254.0.0"
push "route 192.172.0.0 255.252.0.0"
push "route 192.176.0.0 255.240.0.0"
push "route 192.192.0.0 255.192.0.0"
push "route 193.0.0.0 255.0.0.0"
push "route 194.0.0.0 254.0.0.0"
push "route 196.0.0.0 252.0.0.0"
push "route 200.0.0.0 248.0.0.0"
push "route 208.0.0.0 240.0.0.0"
push "route 10.123.3.0 255.255.255.0"
push "route 10.123.2.0 255.255.255.0"
push "route 10.123.1.0 255.255.255.0"
push "dhcp-option DNS 10.123.3.1"
route-gateway dhcp
server 10.123.3.0 255.255.255.0
status /var/log/openvpn_status.log
topology subnet
user nobody
verb 3

[300000]

So what address local lan you want to connect as normal ? The way you write not give out full info . Only you understand what your network is .

What about log and full client config .how many subnet on client side to make it work normal

[articulatedrowning]

I feel I have given all the info I have. As I've already said, I want all RFC1918 addresses to "work normal", excluding the 3 subnets in the previous post.

I want:

Code: Select all

       10.0.0.0/10
      10.64.0.0/11
      10.96.0.0/12
     10.112.0.0/13
     10.120.0.0/15
     10.122.0.0/16
     10.123.0.0/24
     10.123.4.0/22
     10.123.8.0/21
    10.123.16.0/20
    10.123.32.0/19
    10.123.64.0/18
   10.123.128.0/17
     10.124.0.0/14
     10.128.0.0/9
     172.16.0.0/12
     192.168.0.0/16

(Edited this list as I was confusing myself writing it this way, hopefully all correct)
to "work normal". Everything else through the VPN. But I've already given this info, and I don't know any more info to add to it.

I don't understand how it's relevant, but here is a client config:

Code: Select all

#specify TUN vs. TAP
dev tun
#specify protocol to use (default is UDP)
proto udp
###############################################################################
# The certificate file of the destination home VPN Server.
#
# The CA certificate file is embedded in the inline format.
# You can replace this CA contents if necessary.
# Please note that if the server certificate is not a self-signed, you have to
# specify the signer's root certificate (CA) here.
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

</ca>

###############################################################################
# The client certificate file (client1.crt).
#
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.

<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

</cert>

# client1.key

<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----

</key>

#client settings
client
remote-cert-tls server
remote xxx 11940

I'm unsure what log you want. I'm not having any problems currently, everything works as expected. I simply don't actually know what options to use to get the behavior I want.

[300000]

the way you write to ask question not clear and you dont give extract nature which sunbnet on client you want to use , if all of the RFC1918 addresses use on server but three subnet on client you want to use which one?

10.123.3.0 this is virtual ip from openvpn network , it is not real network ip and you want to use real networks subnet on client or you want to use virtual openvpn client network .

look back your question . nobody understand which subnet from local lan you want to use and you said is all virtual ip from openvpn

[articulatedrowning]

if all of the RFC1918 addresses use on server but three subnet on client you want to use which one?

I'm having trouble understanding this, but if I'm reading this correctly, no, that's exactly the opposite of what I have said. Maybe we are interpretting "work normal" in opposite ways. The way I used it "work normal" means NOT to go through the VPN. Maybe I am just wording things wrong but it seems like you are interpreting things the opposite way that I intend, which then makes the question not make sense.

There are 2 subnets on the server (plus the OpenVPN subnet) that I want to go through the VPN. All other RFC1918 addresses (ie. the addresses in my previous post code block) I want to stay local to the client. Everything else I want to go through the VPN (ie. all internet traffic).

look back your question . nobody understand which subnet from local lan you want to use and you said is all virtual ip from openvpn

The addresses in the code block in my previous post are what I want to use locally. These are not virtual IP from OpenVPN so I don't know what you mean.

I believe I already have a working configuration (though like I said I haven't had a chance to test it), but it just seems like there must be a "cleaner" way to do it. For example, is there an "unroute" that would do the opposite of "route"?

[300000]

there is two situation on here let me help you out but you need to do calculation subnet mask for yourself

do you want do this from server so you can control client access which subnet to use , which not to use or do you want do it from client config , if do it from server so it is more faster and can do to every client

basic of thing like this if you want do it from server is

push " route 42.118.90.0 255.255.255.0 vpn_gateway " this mean that the route 42.118.90.0 will use all over vpn connection and
push " route 42.118.90.0 255.255.255.0 net_gateway " this mean that the route 42.118.90.0 will use local lan connection

from client config add this

" route 42.118.90.0 255.255.255.0 vpn_gateway " will use all over vpn connection
" route 42.118.90.0 255.255.255.0 net_gateway " will use local lan connection


nomal subnet is 24 so mask is 255.255.255.0 but your subnet mask is difference so you need to calculation to put in correct or it not work as you like

that is is I ask you subnet you want to exclude .it is quite simple to do in your config , just add what you need to go over vpn or local de pent on to vpn_gateway and net_gateway that all you need.

[articulatedrowning]

That's exactly what I needed, thanks!

Does this still follow routing rules of the more specific rule taking precedence? In other words, can I do:

Code: Select all

route 10.0.0.0 255.0.0.0 net_gateway
route 10.123.1.0 255.255.255.0 vpn_gateway
route 10.123.2.0 255.255.255.0 vpn_gateway
route 10.123.3.0 255.255.255.0 vpn_gateway

I realize I could write it differently but this way seems much cleaner and easier to understand.