Page 1 of 1

OpenVPN split tunnel, can't seem to understand if it's not working because client or server issue

Posted: Sun Aug 25, 2019 1:19 pm
by dada216
HI, I'm trying to configure an OpenVPN split tunnel.

one machine, the openvpn server, is a pfsense box (a VPS), so it's also a firewall.
the clients are linux VPS that have some services that need to be accessible only via VPN by multiple dekstop clients on the internet.

Some services on the various VPS also need some ports to be accessible from the internet via the VPN server/Firewall IP.
Some services hosted on the VPS need to reach the internet on their own, without being tunneled through the VPN.
There are private DNS mappings pointing to the VPS private VPN address, and the DNS server is on the VPN itself.

here are the relevant configuration files

OPENVPN SERVER CONFIG

Code: Select all

dev ovpns2
verb 5
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-GCM
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh dada-cloud.vpn"
local PUBLIC IP OF THE OPENVPN SERVER
engine rdrand
tls-server
server 10.0.3.0 255.255.255.0
server-ipv6 fe80:1::/64
client-config-dir /var/etc/openvpn-csc/server2
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user HIDDEN= false server2 1195
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsense-openvpn-server-cert' 1"
lport 1195
management /var/etc/openvpn/server2.sock unix
max-clients 5
push "route 10.0.2.0 255.255.255.0"
push "route-ipv6 fe80::/64"
push "dhcp-option DOMAIN dada-cloud.vpn"
push "dhcp-option DNS 10.0.3.1"
push "register-dns"
push "dhcp-option NTP 10.0.3.1"
client-to-client
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2.tls-auth 0
ncp-ciphers AES-128-GCM:AES-128-CBC
persist-remote-ip
float
topology subnet
fast-io
sndbuf 2097152
rcvbuf 2097152
OPENVPN CLIENT CONFIG

Code: Select all

dev tun
tun-ipv6
persist-tun
persist-key
cipher AES-128-GCM
ncp-ciphers AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote OPENVPN.SERVER.IP.ADDRESS 1195 udp
verify-x509-name "pfsense-openvpn-server-cert" name
auth-user-pass vpnlogin.conf
remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
HIDDEN
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
HIDDEN
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
HIDDEN
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
HIDDEN
-----END OpenVPN Static key V1-----
</tls-auth>
verb 5
fast-io
sndbuf 2097152
rcvbuf 2097152
OPENVPN CLIENT SHELLS

Code: Select all

# ip route show
default via VPS.PUBLIC.GATEWAY.ADDRESS dev eth0 
10.0.2.0/24 via 10.0.3.1 dev tun0 
10.0.3.0/24 dev tun0 proto kernel scope link src 10.0.3.2 
VPS.GATEWAY.ADDRESS/26 dev eth0 proto kernel scope link src VPS.PUBLIC.IP 
169.254.0.0/16 dev eth0 scope link metric 1002 

Code: Select all

# cat /etc/resolv.conf
nameserver 10.0.3.1
nameserver 8.8.8.8
nameserver 8.8.4.4
I have manually edited resolv.conf and nslookup does show my DNS server is being used for all queries, which is fine.

and this is what I really don't get:

Code: Select all

ping www.google.com 
works, but it reaches out from the public IP, not from the VPN IP, as expected.

Code: Select all

ping -I tun0 www.google.com 
doesn't work, it hangs.

Code: Select all

ping 10.0.3.1 
instead works


I think the problem is on the client side of things (centos 7) because I have other OpenVPN servers running on the same box that do redirect all client traffic, so on client where the default routes points to the VPN gateway they do surf the net via the VPN and ping -I tun0 www.google.com works as expected, so I think the problem is on the client side of things, why isn't ping -I tun0 working if I don't redirect the default gw?