Don't route all traffic through VPN by client configuration

[samb]

Hello,

I have a OpenVPN server setup at home on my local LAN. I use OpenVPN client on iOS and Windows to connect to my VPN side LAN and also route internet traffic through the VPN tunnel.

But sometimes I don't want the Internet traffic to route through the tunnel. So on the client I have created two OpenVPN-profiles. Default all traffic are sent to the tunnel. And the config that I want to use for only accessing the VPN side LAN I have added this:

Code: Select all

pull-filter ignore "redirect-gateway"

The config without this works as expected. I can access VPN side LAN and Internet through the home gateway.

This is my configurations!

View OriginalServer Config

port 123
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.55.1"
push "dhcp-option DOMAIN example.com"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

View OriginalClient Config

client
dev tun
proto udp
remote example.com 123
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
pull-filter ignore "redirect-gateway"
CERT AND KEYS STRIPPED...

When using the above client config I cannot access VPN side LAN or Internet via VPN. But when skipping

Code: Select all

pull-filter ignore "redirect-gateway"

I can access VPN side LAN and Internet. Local VPN side LAN DNS are used so i can access server.example.com on my home network.
Note when using the config to not route Internet traffic I also want to be able to use VPN side LAN DNS for *.example.com domains, but client side DNS for other domains on Internet.

Please help me out with advice here.
I could setup two different VPN servers with different push-directives, but that's not an ideal solution for me.

Thanks!

//Sam

[samb]

For reference I solved it by adding any of the following lines (according to what I want to filter out from my client)

View Originalclient

pull-filter ignore "redirect-gateway def1 bypass-dhcp"
pull-filter ignore "dhcp-option DNS 192.168.55.1"
pull-filter ignore "dhcp-option DOMAIN example.com"
route 192.168.55.0 255.255.255.0

So I can select to use VPN as gateway for Internet, or use Local/remote DNS.

[mirky]

For reference I solved it by adding any of the following lines (according to what I want to filter out from my client)

View Originalclient

pull-filter ignore "redirect-gateway def1 bypass-dhcp"
pull-filter ignore "dhcp-option DNS 192.168.55.1"
pull-filter ignore "dhcp-option DOMAIN example.com"
route 192.168.55.0 255.255.255.0

So I can select to use VPN as gateway for Internet, or use Local/remote DNS.

Hey there, does this still work for you?. I am trying to do the same with little luck.

So, when you don't want internet traffic routed, you simply add only "pull-filter ignore "redirect-gateway def1 bypass-dhcp"" ?.

[300000]

if you dont like client route all traffice over vpn link just add this one on client config and try again

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway


you should remove pull-filter ignore "redirect-gateway" and you can use your dns and connect to your lan as nomal but everything else will go client local traffice


I used this one to vpn to connet only my dns server at home to block ad and google ad and it workes as good and all ad have been blocked by my dns at home.

[mirky]

if you dont like client route all traffice over vpn link just add this one on client config and try again

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway


you should remove pull-filter ignore "redirect-gateway" and you can use your dns and connect to your lan as nomal but everything else will go client local traffice


I used this one to vpn to connet only my dns server at home to block ad and google ad and it workes as good and all ad have been blocked by my dns at home.

Thank you.
But tried this, and not working.. however, I think the windows 10 openvpn client i am using doesn't even see these(and all other tried) changes to the config.
I don't see the routes changed either.

You know, when changes has been made, it makes the prompt to verify the config. This promt only happens so far if i comment something out #.
In the verify prompt "# This is comment" would show up, but not "route 0.0.0.0 192.0.0.0 10.1.10.1" or other like "route-nopull".
So what on earth is happening i wonder now, what can make it not see this.
I should/will try to modify on linux client.

[mirky]

if you dont like client route all traffice over vpn link just add this one on client config and try again

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway


you should remove pull-filter ignore "redirect-gateway" and you can use your dns and connect to your lan as nomal but everything else will go client local traffice


I used this one to vpn to connet only my dns server at home to block ad and google ad and it workes as good and all ad have been blocked by my dns at home.

OK. So in linux this worked for me, Windows client, nope. Thanks . Will try and home in on windows issues.

[300000]

you need to run it under administrator right so it can add or remove routing table.

[mirky]

you need to run it under administrator right so it can add or remove routing table.

Thanks .
Yes, that, and I think I was using the wrong client program. Maybe didn't realize the different versions.. I had the one that installs as "Openvpn connect".. now using the "openvpn gui".
Tho, to me, i thought that in the end they should function the same, but to me they don't. It was the version I could download thru the openvpn access server user portal, which i trying out, but needed the other.

I guess maybe ... maybe.. its a feature of "openvpn connect" that users cant tamper with their config, that there are some check.

So got it solved. it works with what you wrote!.

[navis83]

For those who want exclude from VPN Gateway all Internet Traffic, but need to include one or more (in my case 192.168.1.x and 192.168.10.x) networks behind VPN Gateway to the client routes, this is possible through this client configuration change:

pull-filter ignore "redirect-gateway" //dosn not consider the server redirect-gateway in order to avoid all traffic through VPN Gateway
route 192.168.1.0 255.255.255.0 vpn_gateway //re-add the first network you need to reach from client through VPN Gateway
route 192.168.10.0 255.255.255.0 vpn_gateway //re-add the second network you need to reach from client through VPN Gateway

I hope it helps.

[pw44]

Great. can you please share the iptables config working for your setup?

[flexmcmurphy]

@navis83

Thank you so much for this help. It solved my problem. Your instructions were very clear and well explained!

Flex