OpenVPN Support Forum

I currently have two wireless routers configured as OpenVPN clients tunneling to the same server running two OpenVPN service instances; router1 client tunnels only the private 10.11.0.0 network traffic, and router2 client tunnels all network traffic. With this setup, I can choose whether my wired/wireless devices get fully tunneled or not by choosing which router to connect to.

But I want to know whether I can have this same choice using only one router and OpenVPN client. My hope is that different routing rules would be chosen according to the gateway used by the wired/wireless device. The router1 has a LAN address (say 192.168.1.1) which is the gateway normally used by the wired/wireless devices, but the router1 also has an OpenVPN address (say 10.11.0.6) that can successfully be used as a gateway address by the wired/wireless device. Is it possible to write iptables rules such that *all* traffic coming to the OpenVPN gateway address 10.11.0.6 gets tunneled, but traffic coming to the 'regular' gateway 192.168.1.1 gets routed normally (tuneled only if the destination is the network 10.11.0.0)?

You could try two client configs on your client ..

one which redirects the default gateway - add to client config: and one which does not.

As far as I know, my wireless router (dd-wrt firmware) permits only one OpenVPN client config. But if the router permitted two simultaneous OpenVPN client connections, I would still be left with my original puzzle of how to choose either the fully-tunneled or partly-tunneled pathway from a wired/wireless device that is connecting to the router.

I think I am wanting to manually build the routing rules that would otherwise happen automatically with the "redirect-gateway" OpenVPN config line. And I am hoping that I can build the routing rules such that a wired/wireless device can choose whether or not to be fully-tunneled. Instead of my original idea of choosing different gateway addresses from the wired/wireless device, perhaps I could choose the source address: so any traffic from 192.168.1.248/29 gets fully-tunneled by the router while all other traffic gets partly-tunnneled.

Does anyone know the routing/iptables rules that are applied to the OpenVPN client when the "redirect-gateway" option is being used? Is it reasonable for me to attempt to mimic them manually?

cqfast wrote:Does anyone know the routing/iptables rules that are applied to the OpenVPN client when the "redirect-gateway" option is being used? Is it reasonable for me to attempt to mimic them manually?

OpenVPN does not manipulate iptables, however, you can mimic the actions of --redirect-gateway: See --redirect-gateway in The Manual v23x

cqfast wrote:so any traffic from 192.168.1.248/29 gets fully-tunneled by the router while all other traffic gets partly-tunnneled.

It might be possible to do this with iptables on the client router but I do not know how .. sorry.