Configuration: route specific traffic over Openvpn

[janhoedt]

Hi,

Openvpn rocks!
It works through proxy as well as on my iphone.

However I have 1 practical question (when connected from work to home OpenVPN):

=> I would like to route as well my LAN traffic (192.168.x.x) as Internet traffic through my

OpenVPN. It would be nice to be able to set exceptions also, f.e. not www.google.be.
How to achieve this? Should I setup a proxy on my NAS and how to route the traffic?

Any input on my config is also welcome!
Cheers,
J.


Server: Synology NAS with OpenVPN package, LAN = 192.168.x.x, VPN IP = 172.16.x.x
Client: Windows XP with OpenVPN portable

SETTINGS CLIENT:
----------------
dev tun
tls-client

remote mydyndnsaddress 8080

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway

pull

proto tcp-client
script-security 2

ca ca.crt

comp-lzo

reneg-sec 0

auth-user-pass


SETTINGS SERVER:
-----------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

# management 127.0.0.1 1195 => changed this to ip of NAS
management mylocalipofnas 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass

ROUTE PRINT on PC WORK:
-----------------------
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.101.161.254 10.101.161.129 1
10.101.160.0 255.255.254.0 10.101.161.129 10.101.161.129 20
10.101.161.129 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.101.161.129 10.101.161.129 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.1.0 255.255.255.0 172.16.1.5 172.16.1.6 1
172.16.1.1 255.255.255.255 172.16.1.5 172.16.1.6 1
172.16.1.4 255.255.255.252 172.16.1.6 172.16.1.6 30
172.16.1.6 255.255.255.255 127.0.0.1 127.0.0.1 30
172.16.255.255 255.255.255.255 172.16.1.6 172.16.1.6 30
192.168.1.0 255.255.255.0 172.16.1.5 172.16.1.6 1
224.0.0.0 240.0.0.0 10.101.161.129 10.101.161.129 20
224.0.0.0 240.0.0.0 172.16.1.6 172.16.1.6 30
255.255.255.255 255.255.255.255 10.101.161.129 10.101.161.129 1
255.255.255.255 255.255.255.255 10.101.161.129 2 1
255.255.255.255 255.255.255.255 172.16.1.6 172.16.1.6 1
Default Gateway: 10.101.161.254
===========================================================================
Persistent Routes:
None

Note that the openvpn adminpage is not implemented, don't know if I can put this/install this on the NAS?

[janjust]

in order to redirect all traffic via the VPN add

Code: Select all

push "redirect-gateway def1"

to the server config; you can exclude certain IP ranges (not sets of domain names!) using

Code: Select all

route <IP> <netmask> net_gateway

you can exclude specific DNS names (e.g. www.google.be) using

Code: Select all

allow-pull-fqdn
route www.google.be 255.255.255.255 net_gateway

but this will only add an exception for the FIRST IP address that comes out of the name resolution.

For more flexible routing policies I'd actually use a SOCKS server : browsers like firefox let you configure in great detail what goes throught a SOCKS server and what not.

[janhoedt]

Thanks, but I want all config done on client, so I guess I have to use rotes on client. What proxy would you recommend?

[janjust]

you can use

Code: Select all

redirect-gateway def1
allow-pull-fqdn
route www.google.be 255.255.255.255 net_gateway

on the client as well - for multiple clients it becomes much easier to do it on the server, however.

As for a proxy - I normally use a plain ordinary SSH tunnel , but that's because I use SSH for daily work anyways.

An open source SOCKS server would be DANTE.

[janhoedt]

Please explain the ssh tunnel (putty?)
I could run it over openvpn.
Tried but cant make it work.

[janjust]

if you use SSH / putty you wouldn't even need a VPN.

Configure PuTTY to do Dynamic Port Forwarding. You can find a tutorial (in Dutch) "hidden" on my home page:
http://www.nikhef.nl/~janjust/nikhef-proxy/

including how to configure Firefox to use the proxy.

[janhoedt]

I know this config, I did already configure it but it does not work.
Firefox doesn't give an error but I get an empty/white page.

[janhoedt]

Ok, I found the problem. Only the SOCKS 5 should be selected. However if I connect not over vpn, but via proxy server of work, putty gets stuck on the proxy (I can see in the eventlog its stuck there).
I tried to enable the proxy in putty (as it works in openvpn) but it does not popup to authenticate. I can set user and password in putty settings (at proxy page) but same result ....

[janhoedt]

Ok, I'm testing now with the client part you mentioned:

redirect-gateway def1
allow-pull-fqdn
route www.google.be 255.255.255.255 net_gateway

This is quite confusing, it's the opposite I need. I need only the private range of my home LAN = 192.168.1.0 AND Internet traffic (if possible to specify exceptions, that would be great) to go over VPN.

The config above sends only www.google.be NOT over vpn, whereas I want everything to be sent over vpn except for private ranges work.

[janhoedt]

Ok, I'm getting there. Will soon post if this works:

Server config:
push "redirect-gateway def1"
route 10.0.0.0 255.0.0.0
route 172.16.0.0 255.240.0.0
route 192.168.0.0 255.255.0.0

push "route 192.16.33.0 255.255.255.0"

With 192.168.33.x as openvpn addresses.

[janhoedt]

Doesn't work ....
All traffic goes over vpn.


push "redirect-gateway def1"


route 10.0.0.0 255.0.0.0 net_gateway
route 172.16.0.0 255.240.0.0 net_gateway
route 192.168.0.0 255.255.0.0 net_gateway

push "route 192.168.1.0 255.255.255.0"
push "route 192.168.33.0 255.255.255.0"
dev tun

management 192.168.1.6 1195

server 192.168.33.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~
~
~
~
~
- /usr/syno/etc/synovpn/openvpn/openvpn.conf 23/40 57%

[janjust]

The config above sends only www.google.be NOT over vpn, whereas I want everything to be sent over vpn except for private ranges work.

I thought you did not want to change the server config...
to avoid confusion, let's remove all "push route" statements from the server config and try adding everything to the client config:

Code: Select all

# redirect all default traffic via the VPN
redirect-gateway def1
# redirect the home network 192.168.1/24 via the VPN
route 192.168.1.0 255.255.255.0
# redirect another network to NOT go via the VPN
route 10.10.0.0 255.255.255.0 net_gateway
# redirect a host using a domainname to NOT go via the VPN
route www.google.be 255.255.255.255 net_gateway

is this roughly what you are looking for? because I am getting confused as to what traffic should go via the VPN and what not.

[janhoedt]

Yes, great. In the meantime i ve setup squid proxy as alternative.
Thanks!!!

[janhoedt]

... but can I make 192.168.1.x go via openvpn and rest of 192.168.x NOT?
+ how to set to use remote proxy (iphone)?

[janjust]

the more specific routing rule should always win, thus by using

Code: Select all

route 192.168.0.0 255.255.0.0 net_gateway
route 192.168.1.0 255.255.255.0
redirect-gateway def1

all traffic , including 192.168.1.0/24 but EXcluding all other 192.168/16 subnets, will go via the VPN.

I have no clue how to set up proxies in iphone - that is waaay off topic for this forum.

[janhoedt]

Great, thanks!
Regarding Iphone, I kind of hoped the destination proxy-server could be added in config(?)

[janhoedt]

Can't I configure to use a proxy as from when connected?
F.e. remote proxy: 192.168.1. ...

[RedPenguin]

I have a question related to the original posters question but with a slight spin.

My OpenVPN setup is limited to 256KB/s (normally around 200) upload.

I use it on the go on open wifi networks with security.

Now normally 200kb/s works fine for web browsing, VoIP, streaming media, etc.

My question is, is there any type of setup I can do with OpenVPN that when I need to download large files, like a Linux ISO, it could be like, nah send that through your normal connection?

I ask because once in a while I have to turn off the tunnel to download a file otherwise I'm sitting there for hours downloading it at 200KB/s when the WiFI I may be on can download at 1MB/s or more.

If you can't really go by file size can you at least go by protocol?

[janjust]

this is not really an openvpn issue: suppose you have 2 network cables with 2 internet connections, one fast, one slow. how would you tell your PC to do certain transfers via 1 link, and others via the other link? this is virtually impossible using TCP/IP routing, as you cannot filter on file size

filtering on protocol type is possible on linux (e.g. using iptables) but it's tricky and again, has little to do with openvpn

[Halems]

i found socks5 to be slow for web browser proxy. maybe its the tcp over tcp is a bad idea thing. my pref is to host in my lan a http proxy server (squid) and then , using vpn, configure the chrome proxy addon to talk to the remote lan squid.... so no ssh involved