Route everything through VPN but maintain connectivity to client's LAN

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
articulatedrowning
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 02, 2020 8:37 am

Route everything through VPN but maintain connectivity to client's LAN

Post by articulatedrowning » Wed Dec 02, 2020 8:39 am

I would like to route internet traffic and addresses in my OpenVPN server's LAN through the VPN, but allow traffic to the client's LAN to work normally.

I'm currently using "redirect-gateway" to get the functionality of the former, but that then breaks client LAN connectivity. I don't have control over the client's LAN, so I'd like to accomplish this in a general way: Route all RFC1918 addresses locally, except for ones I define as existing on the VPN side.

Is the best way to do this to get rid of the redirect-gateway and add routes for all addresses excluding the RFC1918 addresses, or is there a simpler way?

Thanks for any help.

300000
OpenVPN Super User
Posts: 426
Joined: Tue May 01, 2012 9:30 pm

Re: Route everything through VPN but maintain connectivity to client's LAN

Post by 300000 » Wed Dec 02, 2020 4:09 pm

You need to write all config on client and subnet that want to use first witout writing anything and nobody knows how you want it work.

articulatedrowning
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 02, 2020 8:37 am

Re: Route everything through VPN but maintain connectivity to client's LAN

Post by articulatedrowning » Thu Dec 03, 2020 4:15 am

I'm not sure I understand your meaning but I'll try to be as specific as possible and include my config below. I want all traffic to go through the VPN, excluding RFC1918 addresses. But, I want RFC1918 addresses that exist on the VPN server side (in my case this is 10.123.1.0/24, 10.123.2.0/24) as well as other VPN clients (10.123.3.0/24) to go through the VPN. I believe I have this working already in the config below (though I haven't had a chance to test if RFC1918 addresses stay local), but it seems like there must be a more "elegant" way.

Code: Select all

client-to-client
persist-key
persist-tun
tls-server
ca /etc/config/openvpn-config/pki/ca.crt
cert /etc/config/openvpn-config/pki/issued/server.crt
comp-lzo yes
dev tun
dh /etc/config/openvpn-config/pki/dh.pem
group nogroup
keepalive 10 120
key /etc/config/openvpn-config/pki/private/server.key
log /tmp/openvpn.log
mode server
mute 5
port 11940
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "user nobody"
push "user nogroup"
push "route-gateway dhcp"
push "topology subnet"
push "route 0.0.0.0 248.0.0.0"
push "route 8.0.0.0 254.0.0.0"
push "route 11.0.0.0 255.0.0.0"
push "route 12.0.0.0 252.0.0.0"
push "route 16.0.0.0 240.0.0.0"
push "route 32.0.0.0 224.0.0.0"
push "route 64.0.0.0 192.0.0.0"
push "route 128.0.0.0 224.0.0.0"
push "route 160.0.0.0 248.0.0.0"
push "route 168.0.0.0 252.0.0.0"
push "route 172.0.0.0 255.240.0.0"
push "route 172.32.0.0 255.224.0.0"
push "route 172.64.0.0 255.192.0.0"
push "route 172.128.0.0 255.128.0.0"
push "route 173.0.0.0 255.0.0.0"
push "route 174.0.0.0 254.0.0.0"
push "route 176.0.0.0 240.0.0.0"
push "route 192.0.0.0 255.128.0.0"
push "route 192.128.0.0 255.224.0.0"
push "route 192.160.0.0 255.248.0.0"
push "route 192.169.0.0 255.255.0.0"
push "route 192.170.0.0 255.254.0.0"
push "route 192.172.0.0 255.252.0.0"
push "route 192.176.0.0 255.240.0.0"
push "route 192.192.0.0 255.192.0.0"
push "route 193.0.0.0 255.0.0.0"
push "route 194.0.0.0 254.0.0.0"
push "route 196.0.0.0 252.0.0.0"
push "route 200.0.0.0 248.0.0.0"
push "route 208.0.0.0 240.0.0.0"
push "route 10.123.3.0 255.255.255.0"
push "route 10.123.2.0 255.255.255.0"
push "route 10.123.1.0 255.255.255.0"
push "dhcp-option DNS 10.123.3.1"
route-gateway dhcp
server 10.123.3.0 255.255.255.0
status /var/log/openvpn_status.log
topology subnet
user nobody
verb 3

300000
OpenVPN Super User
Posts: 426
Joined: Tue May 01, 2012 9:30 pm

Re: Route everything through VPN but maintain connectivity to client's LAN

Post by 300000 » Thu Dec 03, 2020 8:08 am

So what address local lan you want to connect as normal ? The way you write not give out full info . Only you understand what your network is .

What about log and full client config .how many subnet on client side to make it work normal

articulatedrowning
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 02, 2020 8:37 am

Re: Route everything through VPN but maintain connectivity to client's LAN

Post by articulatedrowning » Thu Dec 03, 2020 10:29 am

I feel I have given all the info I have. As I've already said, I want all RFC1918 addresses to "work normal", excluding the 3 subnets in the previous post.

I want:

Code: Select all

       10.0.0.0/10
      10.64.0.0/11
      10.96.0.0/12
     10.112.0.0/13
     10.120.0.0/15
     10.122.0.0/16
     10.123.0.0/24
     10.123.4.0/22
     10.123.8.0/21
    10.123.16.0/20
    10.123.32.0/19
    10.123.64.0/18
   10.123.128.0/17
     10.124.0.0/14
     10.128.0.0/9
     172.16.0.0/12
     192.168.0.0/16
(Edited this list as I was confusing myself writing it this way, hopefully all correct)
to "work normal". Everything else through the VPN. But I've already given this info, and I don't know any more info to add to it.

I don't understand how it's relevant, but here is a client config:

Code: Select all

#specify TUN vs. TAP
dev tun
#specify protocol to use (default is UDP)
proto udp
###############################################################################
# The certificate file of the destination home VPN Server.
#
# The CA certificate file is embedded in the inline format.
# You can replace this CA contents if necessary.
# Please note that if the server certificate is not a self-signed, you have to
# specify the signer's root certificate (CA) here.
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

</ca>

###############################################################################
# The client certificate file (client1.crt).
#
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.

<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

</cert>

# client1.key

<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----

</key>

#client settings
client
remote-cert-tls server
remote xxx 11940
I'm unsure what log you want. I'm not having any problems currently, everything works as expected. I simply don't actually know what options to use to get the behavior I want.

300000
OpenVPN Super User
Posts: 426
Joined: Tue May 01, 2012 9:30 pm

Re: Route everything through VPN but maintain connectivity to client's LAN

Post by 300000 » Thu Dec 03, 2020 10:56 am

the way you write to ask question not clear and you dont give extract nature which sunbnet on client you want to use , if all of the RFC1918 addresses use on server but three subnet on client you want to use which one?

10.123.3.0 this is virtual ip from openvpn network , it is not real network ip and you want to use real networks subnet on client or you want to use virtual openvpn client network .

look back your question . nobody understand which subnet from local lan you want to use and you said is all virtual ip from openvpn

articulatedrowning
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 02, 2020 8:37 am

Re: Route everything through VPN but maintain connectivity to client's LAN

Post by articulatedrowning » Thu Dec 03, 2020 11:09 am

300000 wrote:
Thu Dec 03, 2020 10:56 am
if all of the RFC1918 addresses use on server but three subnet on client you want to use which one?
I'm having trouble understanding this, but if I'm reading this correctly, no, that's exactly the opposite of what I have said. Maybe we are interpretting "work normal" in opposite ways. The way I used it "work normal" means NOT to go through the VPN. Maybe I am just wording things wrong but it seems like you are interpreting things the opposite way that I intend, which then makes the question not make sense.

There are 2 subnets on the server (plus the OpenVPN subnet) that I want to go through the VPN. All other RFC1918 addresses (ie. the addresses in my previous post code block) I want to stay local to the client. Everything else I want to go through the VPN (ie. all internet traffic).
300000 wrote:
Thu Dec 03, 2020 10:56 am
look back your question . nobody understand which subnet from local lan you want to use and you said is all virtual ip from openvpn
The addresses in the code block in my previous post are what I want to use locally. These are not virtual IP from OpenVPN so I don't know what you mean.

I believe I already have a working configuration (though like I said I haven't had a chance to test it), but it just seems like there must be a "cleaner" way to do it. For example, is there an "unroute" that would do the opposite of "route"?

300000
OpenVPN Super User
Posts: 426
Joined: Tue May 01, 2012 9:30 pm

Re: Route everything through VPN but maintain connectivity to client's LAN

Post by 300000 » Thu Dec 03, 2020 11:27 am

there is two situation on here let me help you out but you need to do calculation subnet mask for yourself

do you want do this from server so you can control client access which subnet to use , which not to use or do you want do it from client config , if do it from server so it is more faster and can do to every client

basic of thing like this if you want do it from server is

push " route 42.118.90.0 255.255.255.0 vpn_gateway " this mean that the route 42.118.90.0 will use all over vpn connection and
push " route 42.118.90.0 255.255.255.0 net_gateway " this mean that the route 42.118.90.0 will use local lan connection

from client config add this

" route 42.118.90.0 255.255.255.0 vpn_gateway " will use all over vpn connection
" route 42.118.90.0 255.255.255.0 net_gateway " will use local lan connection


nomal subnet is 24 so mask is 255.255.255.0 but your subnet mask is difference so you need to calculation to put in correct or it not work as you like

that is is I ask you subnet you want to exclude .it is quite simple to do in your config , just add what you need to go over vpn or local de pent on to vpn_gateway and net_gateway that all you need.

articulatedrowning
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 02, 2020 8:37 am

Re: Route everything through VPN but maintain connectivity to client's LAN

Post by articulatedrowning » Thu Dec 03, 2020 11:31 am

That's exactly what I needed, thanks!

Does this still follow routing rules of the more specific rule taking precedence? In other words, can I do:

Code: Select all

route 10.0.0.0 255.0.0.0 net_gateway
route 10.123.1.0 255.255.255.0 vpn_gateway
route 10.123.2.0 255.255.255.0 vpn_gateway
route 10.123.3.0 255.255.255.0 vpn_gateway
I realize I could write it differently but this way seems much cleaner and easier to understand.

Post Reply