[Closed] how to split tunnel with OpenVPN

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
ulissex
OpenVpn Newbie
Posts: 4
Joined: Sat May 28, 2011 9:33 am

[Closed] how to split tunnel with OpenVPN

Post by ulissex » Sat May 28, 2011 9:46 am

Hi

I have a problem with my OpenVPN client (on windows XP). Its the same problem discussed here:

http://forums.openvpn.net/topic7869.html

but I found no resolution to it.

I use OpenVPN to connect to VPN server we have at work, but when I'm on VPN I cannot use my home internet connection.

This is my netstat -nr

Image

my default gateway is 192.168.1.1

now I tryed to past this at the end of my config file:

route-nopull
route "ip gateway of my VPN workserver" 255.255.255.0

but nothing

I tryed with

route-nopull
route 192.168.1.1 255.255.255.0 net_gateway
route "ip gateway of my VPN workserver" 255.255.255.0 vpn_gateway

but nothing

Anyone can help me?

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: how to split tunnel with OpenVPN

Post by janjust » Sat May 28, 2011 9:03 pm

so you want to overrule the 'redirect-gateway def1' that is pushed out by the company VPN? normally a company VPN has a pretty good reason for pushing this out...

If you want to access your home LAN resources all you have to add to the client config is

Code: Select all

route 192.168.1.0 255.255.255.0 net_gateway
If you want to stop using 'redirect-gateway' then you have to know all routes that need to go to the company LAN and you need to add them yourself, e.g.

Code: Select all

route-nopull
route a.b.c.d 255.255.255.0 vpn_gateway
route e.f.g.h 255.255.255.0 vpn_gateway
etc.

ulissex
OpenVpn Newbie
Posts: 4
Joined: Sat May 28, 2011 9:33 am

Re: how to split tunnel with OpenVPN

Post by ulissex » Sat May 28, 2011 10:20 pm

Thanks for the reply, but I guess there is something I'm missing (I'm very new to all that). I add the route print after I connect to VPN:

Image

131.114.175.35 is the IP of 1 of the 3 servers used to for VPN service (the other 2 IP ends with 34 and 36), 131.114.241.92 is the IP I have after I connect to VPN.
131.114.241.1 is the gateway after I connect to vpn. 192.168.1.124 and 192.168.56.1 I guess have something to do with the wifi router of my residence, its an open wifi access point.
So a.b.c.d in my case is 131.114.175.35? and I have to add other 2 lines with the other 2 VPN server's IP?

I have seen other kinds of solutions too:

topic7806.html#p11133
and
http://dltj.org/article/openvpn-split-r ... ier_0_1524

but nothing came out. Its possible to use a batch script to split the traffic? Its possible that VPN was structured in such a way that split tunneling is impossible?

Thanks

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: how to split tunnel with OpenVPN

Post by janjust » Sat May 28, 2011 10:27 pm

the

Code: Select all

route-nopull
did not seem to have any effect? set the verbosity to 5 on the client side, reconnect the client and post the log file here.

ulissex
OpenVpn Newbie
Posts: 4
Joined: Sat May 28, 2011 9:33 am

Re: how to split tunnel with OpenVPN

Post by ulissex » Sun May 29, 2011 1:10 am

Hi thanks for the quick reply, this forum is great!!

I set verbosity to 5 and this is the log (I just wiped off some sensitive infos, nothing important)

Sun May 29 03:17:42 2011 us=22398 Current Parameter Settings:
Sun May 29 03:17:42 2011 us=22443 config = 'vpnSBA.ovpn'
Sun May 29 03:17:42 2011 us=22452 mode = 0
Sun May 29 03:17:42 2011 us=22460 show_ciphers = DISABLED
Sun May 29 03:17:42 2011 us=22469 show_digests = DISABLED
Sun May 29 03:17:42 2011 us=22477 NOTE: --mute triggered...
Sun May 29 03:17:42 2011 us=22498 213 variation(s) on previous 5 message(s) suppressed by --mute
Sun May 29 03:17:42 2011 us=22510 OpenVPN 2.1_beta7 Win32-MinGW [SSL] [LZO2] built on Nov 12 2005
Sun May 29 03:17:50 2011 us=970368 LZO compression initialized
Sun May 29 03:17:50 2011 us=970543 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun May 29 03:17:51 2011 us=50703 RESOLVE: NOTE: vpnsba.unipi.it resolves to 3 addresses, choosing one by random
Sun May 29 03:17:51 2011 us=50755 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Sun May 29 03:17:51 2011 us=50838 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun May 29 03:17:51 2011 us=50867 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun May 29 03:17:51 2011 us=50914 Local Options hash (VER=V4): '31fdf004'
Sun May 29 03:17:51 2011 us=50944 Expected Remote Options hash (VER=V4): '3e6d1056'
Sun May 29 03:17:51 2011 us=51012 Attempting to establish TCP connection with 131.114.175.34:1194
Sun May 29 03:17:51 2011 us=97081 TCP connection established with 131.114.175.34:1194
Sun May 29 03:17:51 2011 us=97138 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 29 03:17:51 2011 us=97168 TCPv4_CLIENT link local: [undef]
Sun May 29 03:17:51 2011 us=97198 TCPv4_CLIENT link remote: 131.114.175.34:1194
[...]
Sun May 29 03:17:53 2011 us=747145 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 29 03:17:53 2011 us=747187 NOTE: --mute triggered...
Sun May 29 03:17:53 2011 us=747552 4 variation(s) on previous 5 message(s) suppressed by --mute
Sun May 29 03:17:53 2011 us=747590 [server] Peer Connection Initiated with 131.114.175.34:1194
Sun May 29 03:17:54 2011 us=757297 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun May 29 03:17:54 2011 us=952671 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 131.114.241.1,route-gateway 131.114.241.1,ping 10,ping-restart 120,ifconfig 131.114.241.20 255.255.255.0'
Sun May 29 03:17:54 2011 us=952729 Options error: option 'redirect-gateway' cannot be used in this context
Sun May 29 03:17:54 2011 us=952823 OPTIONS IMPORT: timers and/or timeouts modified
Sun May 29 03:17:54 2011 us=952848 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 29 03:17:54 2011 us=952864 OPTIONS IMPORT: route-related options modified
Sun May 29 03:17:54 2011 us=952880 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 29 03:17:54 2011 us=975561 TAP-WIN32 device [Connessione alla rete locale (LAN) 3] opened: \\.\Global\{0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E}.tap
Sun May 29 03:17:54 2011 us=976474 TAP-Win32 Driver Version 8.3
Sun May 29 03:17:54 2011 us=976508 TAP-Win32 MTU=1500
Sun May 29 03:17:54 2011 us=980258 Notified TAP-Win32 driver to set a DHCP IP/netmask of 131.114.241.20/255.255.255.0 on interface {0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E} [DHCP-serv: 131.114.241.0, lease-time: 31536000]
Sun May 29 03:17:54 2011 us=980293 DHCP option string: 06048372 f101
Sun May 29 03:17:54 2011 us=981522 Successful ARP Flush on interface [4] {0AE75FC7-2C40-4D4D-BEFA-FB93818AD92E}
Sun May 29 03:17:54 2011 us=995837 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun May 29 03:17:54 2011 us=996173 Route: Waiting for TUN/TAP interface to come up...
Sun May 29 03:17:56 2011 us=8048 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun May 29 03:17:56 2011 us=8149 Route: Waiting for TUN/TAP interface to come up...
Sun May 29 03:17:56 2011 us=792054 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sun May 29 03:17:56 2011 us=792100 route ADD 131.114.0.0 MASK 255.255.255.255 131.114.241.1
Sun May 29 03:17:56 2011 us=802690 Route addition via IPAPI succeeded
Sun May 29 03:17:56 2011 us=802733 route ADD 198.81.200.2 MASK 255.255.255.255 131.114.241.1
Sun May 29 03:17:56 2011 us=834698 Route addition via IPAPI succeeded
Sun May 29 03:17:56 2011 us=834740 Initialization Sequence Completed


Btw I guess I'm barely finding some light in this dark tunnel :)

I was able to di split tunneling for part of the VPN sites adding

route-nopull
route 131.114.0.0 255.255.255.255 vpn_gateway
route 198.81.200.2 255.255.255.255 vpn_gateway

198.81.200.2 is the IP of one of the VPN sites and I can navigate on internet and watch it (its a journal)

but when I try to add more journals, I dunno why, they aren't recognized and so I can't get in the them.

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: how to split tunnel with OpenVPN

Post by Bebop » Sun May 29, 2011 1:44 am

ulissex wrote: route 131.114.0.0 255.255.255.255 vpn_gateway
After some help via PM, I said I would join you in the main thread here with Janjust, so here I am :]

Just one thing to point out. Is 131.114.0.0 a subnet or a real IP?

If its a real IP then fine, what you did it right... but.. if it is a subnet, you need to use not 255.255.255.255, but instead, 255.255.0.0

Maybe useful, maybe not. Depends if 131.114.0.0 is subnet or single IP.
The cure for boredom is curiosity

ulissex
OpenVpn Newbie
Posts: 4
Joined: Sat May 28, 2011 9:33 am

Re: how to split tunnel with OpenVPN

Post by ulissex » Sun May 29, 2011 2:50 pm

hi

I think I finally found a solution, simply adding:

Code: Select all

route-nopull
route "IP I want to see through the VPN 1" 255.255.255.255 vpn_gateway
route "IP I want to see through the VPN 2" 255.255.255.255 vpn_gateway
etc...

I had to find manually all the IP of the journals I need and I added. If I want to add the whole subnet of the journal site, my mask will become 255.255.255.0 and so on. I need to make some more tries, but now I have both internet and VPN on.

Really a big thanks to janjust an Bebop, I really appreciated your help

Locked