Different routing for different users

[gjf]

Hi All.

I have the following network configuration and task:

1. Network A and Network B should see one each other.
2. Network A should have internet access through Router, not VPN.
3. Network B should have internet access (does not matter how really).
4. Router acts as gateway, DHCP and DNS for Network A.

This task was easily solved using OpenVPN with client-config-dir for different users (routing was set for each individually)

Now the VPN is OpenVPN AS and I have a problem because I cannot find client-config-dir implementation in it.

So the only I found is manually edit clien.ovpn adding two lines:

Code: Select all

pull-filter ignore redirect-gateway
route 172.27.224.0 255.255.240.0

I don't like this approach as it makes necessary to edit client config files manually.

Is there any other way to implement client-config-dir functionality in OpenVPN AS? I really miss this feature from free product.

[openvpn_inc]

Hello gjf,

It seems like Network A can be served with the VPN client gateway functionality in User Permissions through the connected VPN client on the router on the left that's connected to the central VPN server. This functionality is used (double) in our site-to-site guide here, if you want to learn how to do that:
https://openvpn.net/vpn-server-resource ... in-detail/

Code: Select all

pull-filter ignore redirect-gateway
route 172.27.224.0 255.255.240.0

From this I see that you have Internet redirection turned on, and then you turn it off on the client, and then implement a custom route. But if I understand your diagram correctly, that custom route is actually your VPN client subnet. You do not need to push a route for that. That is automatic.

My recommendation would be to turn off Internet redirection in the Admin UI of the Access Server under VPN Settings, so you do not need to use the pull-filter. And to take a look at our site-to-site guide and set up the settings for the user permissions in Access Server for the user account that is connecting the router on the left for that type of connectivity.

I get the feeling that it works for you but only kind of by accident by just redirecting all traffic, and then slapping some patches on the client side, to solve some unwanted behavior. I would suggest trying to set things up where the router on the left is a VPN client gateway to subnet 192.168.111.0/24, and on the Access Server go to VPN Settings > All access to private subnets > yes, using routing > 192.168.111.0/24 and allow VPN clients to access private subnets.

Kind regards,
Johan

[gjf]

Hi Johan,
Thanks for your answer. My remarks are below:

You do not need to push a route for that. That is automatic.

This is how it is performed on PC:

Code: Select all

Wed Feb 24 20:47:34 2021 Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.232.0/172.27.232.2/255.255.252.0 [SUCCEEDED]
Wed Feb 24 20:47:34 2021 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.27.232.2/255.255.252.0 on interface {E724CDB6-830E-4BC2-9B76-5716FF2297AA} [DHCP-serv: 172.27.235.254, lease-time: 31536000]
Wed Feb 24 20:47:34 2021 Successful ARP Flush on interface [25] {E724CDB6-830E-4BC2-9B76-5716FF2297AA}

The problem is some basic home routers have no TAP/TUN drivers and pushed routes do not work.
That's why I have added a manual push command.

In fact, I have created a separate route for this specific router to avoid it's connection to Internet thru OpenVPN AS.

My recommendation would be to turn off Internet redirection in the Admin UI of the Access Server under VPN Settings

Once I do it, I will lost a possibility to transfer all traffic from Network B thru VPN server. That was also a key requirement for me (and was not in your site-to-site guide that aimed to connect two subnets together only and does not care about Internet access).

I've tried to play with Group Permissions - Access Control with Internet direction turned off with the aim to allow this Internet connection for users from Network B. However adding 0.0.0.0/0 to "Allow Access To networks and services" did not make sense, all clients from Network B can connect to Network A, but have a direct access to Internet, not thru VPN server possibly because of higher metrics.

[openvpn_inc]

Hello,

I understand, you have a unique situation that is not covered by our normal use-cases. So some manual messing around might be needed. I still think it can be done without messing with client and server config directives manually. Perhaps the information in this reply provides you with 2 ways to achieve what you want.

I am writing this sentence just so future readers understand: the information below is NOT the way you are normally supposed to do things with Access Server. But in your specific case, you can go to VPN Settings and then Advanced VPN and input parameters that can be embedded in client config files when they are generated on the Access Server, or pushed by the server when a client connects. Again this is in almost all cases never necessary, but in your unique situation, it seems the most elegant way. To convert those 2 settings to values in Server Config Directives and Client Config Directives you can do this:

Server config directives:

Code: Select all

push "route 172.27.224.0 255.255.240.0"

Client config directives:

Code: Select all

pull-filter ignore redirect-gateway

Please note that if you make a mistake with the server config directives, you will end up crashing your Access Server. To resolve that you can use the command line to remove the entries in the server config directives and restart AS and then try again.

To remove incorrect server config directives run these commands as root user:

Code: Select all

/usr/local/openvpn_as/scripts/sacli --key "vpn.server.config_text" ConfigDel
/usr/local/openvpn_as/scripts/sacli start

Regarding this part:

However adding 0.0.0.0/0 to "Allow Access To networks and services" did not make sense, all clients from Network B can connect to Network A, but have a direct access to Internet, not thru VPN server possibly because of higher metrics.

Yes that would create a conflict route between your default gateway and what the VPN adapter wants to get routed. They'll be at the same subnet size in the routing table, and then only the routing metric will decide the winner here. It is better to use 0.0.0.0/1 and 128.0.0.0/1. Those two together is the same subnet space as 0.0.0.0/1 but because smaller subnets win over bigger ones the 2 smaller ones will naturally win without competing with the default gateway rule.

I hope that helps.

Kind regards,
Johan

[gjf]

Hi!

The first way is really dangerous and it won't work in my case: if I put "pull-filter ignore redirect-gateway" for all clients I will have to make a manual routes for Network B because otherwise Internet will not go thru VPN. Unfortunately Server Config Directives and Client Config Directives are general and cannot be divided by groups or users.

But the second way is really brilliant. Thank you very much for 0.0.0.0/1+128.0.0.0/1 - it works like a charm and now I am able to achieve whet I want without manual client config editing!

I understand, you have a unique situation that is not covered by our normal use-cases.

Frankly speaking it is not very specific situation: the same happens when one wants to connect different offices together (Network A) and make all employees to work remotely under VPN only because of security reasons (Network A).

As I already told on OpenVPN (not Access Server) it was easily solved using client-config-dir implementation with placing routing tables for every user in a separate files in /etc/openvpn/ccd.

Access Server has a different approach and it was not easy to find it as you can see.

However we won

[openvpn_inc]

Alright, glad to hear it.

Have a nice day,
Johan