Route traffic to remote domain through VPN

[pjft]

Hi all. Apologies for the trouble, but I'm finding myself in a bit of a pickle and need your help.

I have an OpenVPN server up and running for the last few years, all working well for me to access my home's LAN by IP address when I'm remote.

Recently I found myself having to access it from within a location where outbound internet access is restricted to ports 80 and 443. I have routed my external port 443 to my internal 1194 port, so I can still connect to the VPN.

Now, the challenge is that I have services on my home server that use other ports, so I can't access them directly via mydomain.com:<port> .

I was wondering if OpenVPN would be a possible solution to enable me to route [mydomain.com] traffic via that same VPN connection, but my attempts so far to route the traffic explicitly led to me getting a recursive routing error, which I understand.

This one works for the IP access:

View Originalconfig

client
proto udp
remote mydomain.com 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_djYFLGfxghURaVtn name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
route-nopull
route 192.168.86.10 255.255.255.255

Adding (or replacing the last line with) this fails with recursive routing, which I understand:

View Originalconfig

route mydomain.com 255.255.255.255

The reason I'd benefit from having access via mydomain.com rather than <ip address> is because of client-side application configurations that access the services via domain name so that they work outside my home.

I know, it's a bit convoluted and not too common a scenario, but I thought I'd ask.

Thanks in advance for your time.

[TinCanTech]

You need something like your own DNS server to administer a my.domain.local type scenario.

[openvpn_inc]

Hi pjft,

A route is an IP address only, not a name. And you can't route a tunnel through itself: I've seen users do this, and of course it immediately becomes non-functional.

Tin's idea is partly right, but it's wrong to use the .local top-level domain in DNS. It is reserved for the mDNS (zeroconf) protocol. Best is to use a domain name you own -- but obviously (?) not the same name you are using to establish the tunnel.

Often the best tool for this is dnsmasq(8). Let's say you own example.com and it is at 192.0.2.80, and we'll further suppose a VPN server address there of 172.16.16.1; use this as /etc/hosts:

Code: Select all

# this line is not needed if you have that name and address in global DNS
192.0.2.80    vpn.example.com
172.16.16.1   example.com
172.16.16.1   www.example.com

Then tell the client machine to connect to vpn.example.com, and all DNS lookups for example.com and www.example.com will return the VPN server IP address, 172.16.16.1.

This assumes an always-on tunnel, because connections to "example.com" will fail if there is no VPN.

hth, regards, rob0