[Closed] how to split tunnel with OpenVPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat May 28, 2011 9:33 am
[Closed] how to split tunnel with OpenVPN
Hi
I have a problem with my OpenVPN client (on windows XP). Its the same problem discussed here:
http://forums.openvpn.net/topic7869.html
but I found no resolution to it.
I use OpenVPN to connect to VPN server we have at work, but when I'm on VPN I cannot use my home internet connection.
This is my netstat -nr
my default gateway is 192.168.1.1
now I tryed to past this at the end of my config file:
route-nopull
route "ip gateway of my VPN workserver" 255.255.255.0
but nothing
I tryed with
route-nopull
route 192.168.1.1 255.255.255.0 net_gateway
route "ip gateway of my VPN workserver" 255.255.255.0 vpn_gateway
but nothing
Anyone can help me?
I have a problem with my OpenVPN client (on windows XP). Its the same problem discussed here:
http://forums.openvpn.net/topic7869.html
but I found no resolution to it.
I use OpenVPN to connect to VPN server we have at work, but when I'm on VPN I cannot use my home internet connection.
This is my netstat -nr
my default gateway is 192.168.1.1
now I tryed to past this at the end of my config file:
route-nopull
route "ip gateway of my VPN workserver" 255.255.255.0
but nothing
I tryed with
route-nopull
route 192.168.1.1 255.255.255.0 net_gateway
route "ip gateway of my VPN workserver" 255.255.255.0 vpn_gateway
but nothing
Anyone can help me?
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: how to split tunnel with OpenVPN
so you want to overrule the 'redirect-gateway def1' that is pushed out by the company VPN? normally a company VPN has a pretty good reason for pushing this out...
If you want to access your home LAN resources all you have to add to the client config is
If you want to stop using 'redirect-gateway' then you have to know all routes that need to go to the company LAN and you need to add them yourself, e.g.
etc.
If you want to access your home LAN resources all you have to add to the client config is
Code: Select all
route 192.168.1.0 255.255.255.0 net_gateway
Code: Select all
route-nopull
route a.b.c.d 255.255.255.0 vpn_gateway
route e.f.g.h 255.255.255.0 vpn_gateway
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat May 28, 2011 9:33 am
Re: how to split tunnel with OpenVPN
Thanks for the reply, but I guess there is something I'm missing (I'm very new to all that). I add the route print after I connect to VPN:
131.114.175.35 is the IP of 1 of the 3 servers used to for VPN service (the other 2 IP ends with 34 and 36), 131.114.241.92 is the IP I have after I connect to VPN.
131.114.241.1 is the gateway after I connect to vpn. 192.168.1.124 and 192.168.56.1 I guess have something to do with the wifi router of my residence, its an open wifi access point.
So a.b.c.d in my case is 131.114.175.35? and I have to add other 2 lines with the other 2 VPN server's IP?
I have seen other kinds of solutions too:
topic7806.html#p11133
and
http://dltj.org/article/openvpn-split-r ... ier_0_1524
but nothing came out. Its possible to use a batch script to split the traffic? Its possible that VPN was structured in such a way that split tunneling is impossible?
Thanks
131.114.175.35 is the IP of 1 of the 3 servers used to for VPN service (the other 2 IP ends with 34 and 36), 131.114.241.92 is the IP I have after I connect to VPN.
131.114.241.1 is the gateway after I connect to vpn. 192.168.1.124 and 192.168.56.1 I guess have something to do with the wifi router of my residence, its an open wifi access point.
So a.b.c.d in my case is 131.114.175.35? and I have to add other 2 lines with the other 2 VPN server's IP?
I have seen other kinds of solutions too:
topic7806.html#p11133
and
http://dltj.org/article/openvpn-split-r ... ier_0_1524
but nothing came out. Its possible to use a batch script to split the traffic? Its possible that VPN was structured in such a way that split tunneling is impossible?
Thanks
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: how to split tunnel with OpenVPN
the did not seem to have any effect? set the verbosity to 5 on the client side, reconnect the client and post the log file here.
Code: Select all
route-nopull
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat May 28, 2011 9:33 am
Re: how to split tunnel with OpenVPN
Hi thanks for the quick reply, this forum is great!!
I set verbosity to 5 and this is the log (I just wiped off some sensitive infos, nothing important)
Sun May 29 03:17:42 2011 us=22398 Current Parameter Settings:
Sun May 29 03:17:42 2011 us=22443 config = 'vpnSBA.ovpn'
Sun May 29 03:17:42 2011 us=22452 mode = 0
Sun May 29 03:17:42 2011 us=22460 show_ciphers = DISABLED
Sun May 29 03:17:42 2011 us=22469 show_digests = DISABLED
Sun May 29 03:17:42 2011 us=22477 NOTE: --mute triggered...
Sun May 29 03:17:42 2011 us=22498 213 variation(s) on previous 5 message(s) suppressed by --mute
Sun May 29 03:17:42 2011 us=22510 OpenVPN 2.1_beta7 Win32-MinGW [SSL] [LZO2] built on Nov 12 2005
Sun May 29 03:17:50 2011 us=970368 LZO compression initialized
Sun May 29 03:17:50 2011 us=970543 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun May 29 03:17:51 2011 us=50703 RESOLVE: NOTE: vpnsba.unipi.it resolves to 3 addresses, choosing one by random
Sun May 29 03:17:51 2011 us=50755 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Sun May 29 03:17:51 2011 us=50838 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun May 29 03:17:51 2011 us=50867 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun May 29 03:17:51 2011 us=50914 Local Options hash (VER=V4): '31fdf004'
Sun May 29 03:17:51 2011 us=50944 Expected Remote Options hash (VER=V4): '3e6d1056'
Sun May 29 03:17:51 2011 us=51012 Attempting to establish TCP connection with 131.114.175.34:1194
Sun May 29 03:17:51 2011 us=97081 TCP connection established with 131.114.175.34:1194
Sun May 29 03:17:51 2011 us=97138 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 29 03:17:51 2011 us=97168 TCPv4_CLIENT link local: [undef]
Sun May 29 03:17:51 2011 us=97198 TCPv4_CLIENT link remote: 131.114.175.34:1194
[...]
Sun May 29 03:17:53 2011 us=747145 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 29 03:17:53 2011 us=747187 NOTE: --mute triggered...
Sun May 29 03:17:53 2011 us=747552 4 variation(s) on previous 5 message(s) suppressed by --mute
Sun May 29 03:17:53 2011 us=747590 [server] Peer Connection Initiated with 131.114.175.34:1194
Sun May 29 03:17:54 2011 us=757297 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun May 29 03:17:54 2011 us=952671 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 131.114.241.1,route-gateway 131.114.241.1,ping 10,ping-restart 120,ifconfig 131.114.241.20 255.255.255.0'
Sun May 29 03:17:54 2011 us=952729 Options error: option 'redirect-gateway' cannot be used in this context
Sun May 29 03:17:54 2011 us=952823 OPTIONS IMPORT: timers and/or timeouts modified
Sun May 29 03:17:54 2011 us=952848 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 29 03:17:54 2011 us=952864 OPTIONS IMPORT: route-related options modified
Sun May 29 03:17:54 2011 us=952880 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 29 03:17:54 2011 us=975561 TAP-WIN32 device [Connessione alla rete locale (LAN) 3] opened: \\.\Global\{0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E}.tap
Sun May 29 03:17:54 2011 us=976474 TAP-Win32 Driver Version 8.3
Sun May 29 03:17:54 2011 us=976508 TAP-Win32 MTU=1500
Sun May 29 03:17:54 2011 us=980258 Notified TAP-Win32 driver to set a DHCP IP/netmask of 131.114.241.20/255.255.255.0 on interface {0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E} [DHCP-serv: 131.114.241.0, lease-time: 31536000]
Sun May 29 03:17:54 2011 us=980293 DHCP option string: 06048372 f101
Sun May 29 03:17:54 2011 us=981522 Successful ARP Flush on interface [4] {0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E}
Sun May 29 03:17:54 2011 us=995837 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun May 29 03:17:54 2011 us=996173 Route: Waiting for TUN/TAP interface to come up...
Sun May 29 03:17:56 2011 us=8048 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun May 29 03:17:56 2011 us=8149 Route: Waiting for TUN/TAP interface to come up...
Sun May 29 03:17:56 2011 us=792054 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sun May 29 03:17:56 2011 us=792100 route ADD 131.114.0.0 MASK 255.255.255.255 131.114.241.1
Sun May 29 03:17:56 2011 us=802690 Route addition via IPAPI succeeded
Sun May 29 03:17:56 2011 us=802733 route ADD 198.81.200.2 MASK 255.255.255.255 131.114.241.1
Sun May 29 03:17:56 2011 us=834698 Route addition via IPAPI succeeded
Sun May 29 03:17:56 2011 us=834740 Initialization Sequence Completed
Btw I guess I'm barely finding some light in this dark tunnel
I was able to di split tunneling for part of the VPN sites adding
route-nopull
route 131.114.0.0 255.255.255.255 vpn_gateway
route 198.81.200.2 255.255.255.255 vpn_gateway
198.81.200.2 is the IP of one of the VPN sites and I can navigate on internet and watch it (its a journal)
but when I try to add more journals, I dunno why, they aren't recognized and so I can't get in the them.
I set verbosity to 5 and this is the log (I just wiped off some sensitive infos, nothing important)
Sun May 29 03:17:42 2011 us=22398 Current Parameter Settings:
Sun May 29 03:17:42 2011 us=22443 config = 'vpnSBA.ovpn'
Sun May 29 03:17:42 2011 us=22452 mode = 0
Sun May 29 03:17:42 2011 us=22460 show_ciphers = DISABLED
Sun May 29 03:17:42 2011 us=22469 show_digests = DISABLED
Sun May 29 03:17:42 2011 us=22477 NOTE: --mute triggered...
Sun May 29 03:17:42 2011 us=22498 213 variation(s) on previous 5 message(s) suppressed by --mute
Sun May 29 03:17:42 2011 us=22510 OpenVPN 2.1_beta7 Win32-MinGW [SSL] [LZO2] built on Nov 12 2005
Sun May 29 03:17:50 2011 us=970368 LZO compression initialized
Sun May 29 03:17:50 2011 us=970543 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun May 29 03:17:51 2011 us=50703 RESOLVE: NOTE: vpnsba.unipi.it resolves to 3 addresses, choosing one by random
Sun May 29 03:17:51 2011 us=50755 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Sun May 29 03:17:51 2011 us=50838 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun May 29 03:17:51 2011 us=50867 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun May 29 03:17:51 2011 us=50914 Local Options hash (VER=V4): '31fdf004'
Sun May 29 03:17:51 2011 us=50944 Expected Remote Options hash (VER=V4): '3e6d1056'
Sun May 29 03:17:51 2011 us=51012 Attempting to establish TCP connection with 131.114.175.34:1194
Sun May 29 03:17:51 2011 us=97081 TCP connection established with 131.114.175.34:1194
Sun May 29 03:17:51 2011 us=97138 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 29 03:17:51 2011 us=97168 TCPv4_CLIENT link local: [undef]
Sun May 29 03:17:51 2011 us=97198 TCPv4_CLIENT link remote: 131.114.175.34:1194
[...]
Sun May 29 03:17:53 2011 us=747145 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 29 03:17:53 2011 us=747187 NOTE: --mute triggered...
Sun May 29 03:17:53 2011 us=747552 4 variation(s) on previous 5 message(s) suppressed by --mute
Sun May 29 03:17:53 2011 us=747590 [server] Peer Connection Initiated with 131.114.175.34:1194
Sun May 29 03:17:54 2011 us=757297 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun May 29 03:17:54 2011 us=952671 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 131.114.241.1,route-gateway 131.114.241.1,ping 10,ping-restart 120,ifconfig 131.114.241.20 255.255.255.0'
Sun May 29 03:17:54 2011 us=952729 Options error: option 'redirect-gateway' cannot be used in this context
Sun May 29 03:17:54 2011 us=952823 OPTIONS IMPORT: timers and/or timeouts modified
Sun May 29 03:17:54 2011 us=952848 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 29 03:17:54 2011 us=952864 OPTIONS IMPORT: route-related options modified
Sun May 29 03:17:54 2011 us=952880 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 29 03:17:54 2011 us=975561 TAP-WIN32 device [Connessione alla rete locale (LAN) 3] opened: \\.\Global\{0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E}.tap
Sun May 29 03:17:54 2011 us=976474 TAP-Win32 Driver Version 8.3
Sun May 29 03:17:54 2011 us=976508 TAP-Win32 MTU=1500
Sun May 29 03:17:54 2011 us=980258 Notified TAP-Win32 driver to set a DHCP IP/netmask of 131.114.241.20/255.255.255.0 on interface {0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E} [DHCP-serv: 131.114.241.0, lease-time: 31536000]
Sun May 29 03:17:54 2011 us=980293 DHCP option string: 06048372 f101
Sun May 29 03:17:54 2011 us=981522 Successful ARP Flush on interface [4] {0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E}
Sun May 29 03:17:54 2011 us=995837 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun May 29 03:17:54 2011 us=996173 Route: Waiting for TUN/TAP interface to come up...
Sun May 29 03:17:56 2011 us=8048 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun May 29 03:17:56 2011 us=8149 Route: Waiting for TUN/TAP interface to come up...
Sun May 29 03:17:56 2011 us=792054 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sun May 29 03:17:56 2011 us=792100 route ADD 131.114.0.0 MASK 255.255.255.255 131.114.241.1
Sun May 29 03:17:56 2011 us=802690 Route addition via IPAPI succeeded
Sun May 29 03:17:56 2011 us=802733 route ADD 198.81.200.2 MASK 255.255.255.255 131.114.241.1
Sun May 29 03:17:56 2011 us=834698 Route addition via IPAPI succeeded
Sun May 29 03:17:56 2011 us=834740 Initialization Sequence Completed
Btw I guess I'm barely finding some light in this dark tunnel
I was able to di split tunneling for part of the VPN sites adding
route-nopull
route 131.114.0.0 255.255.255.255 vpn_gateway
route 198.81.200.2 255.255.255.255 vpn_gateway
198.81.200.2 is the IP of one of the VPN sites and I can navigate on internet and watch it (its a journal)
but when I try to add more journals, I dunno why, they aren't recognized and so I can't get in the them.
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: how to split tunnel with OpenVPN
After some help via PM, I said I would join you in the main thread here with Janjust, so here I am :]ulissex wrote: route 131.114.0.0 255.255.255.255 vpn_gateway
Just one thing to point out. Is 131.114.0.0 a subnet or a real IP?
If its a real IP then fine, what you did it right... but.. if it is a subnet, you need to use not 255.255.255.255, but instead, 255.255.0.0
Maybe useful, maybe not. Depends if 131.114.0.0 is subnet or single IP.
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat May 28, 2011 9:33 am
Re: how to split tunnel with OpenVPN
hi
I think I finally found a solution, simply adding:
etc...
I had to find manually all the IP of the journals I need and I added. If I want to add the whole subnet of the journal site, my mask will become 255.255.255.0 and so on. I need to make some more tries, but now I have both internet and VPN on.
Really a big thanks to janjust an Bebop, I really appreciated your help
I think I finally found a solution, simply adding:
Code: Select all
route-nopull
route "IP I want to see through the VPN 1" 255.255.255.255 vpn_gateway
route "IP I want to see through the VPN 2" 255.255.255.255 vpn_gateway
I had to find manually all the IP of the journals I need and I added. If I want to add the whole subnet of the journal site, my mask will become 255.255.255.0 and so on. I need to make some more tries, but now I have both internet and VPN on.
Really a big thanks to janjust an Bebop, I really appreciated your help