Exempt the Local Network

[MBNH]

A brief overview: all remote (OpenVPN) users run Windows 7 and have local networks in the 192.168.X.X or, rarely, 10.X.X.X range. All remote networks that these users are trying to get to are in the same ranges. They connect to the CentOS OVPN server which also has IPsec tunnels to these remote networks, with routing rules to get the users to those networks and back. I would like to route to the remote networks with

route 10.0.0.0 255.0.0.0
route 192.168.0.0 255.255.0.0

in the user's local client config file, but I would like to explicitly exempt their local network. Is there a way to tell OpenVPN not to route a particular address or subnet from within the .ovpn (config) file? The above works, but they usually lose the ability to print and scan to local printers and scanners.

[alexs_yb]

Hi

Something i do is us push from the server

push "route a.b.c.d 255.255.255.255 10.172.202.1"

my problems is getting the clients original dgw into the script ..

[alexs_yb]

Found the answer

https://community.openvpn.net/openvpn/w ... n23ManPage

section Environmental Variables


so something like

push "route 10.0.0.0 255.0.0.0 route_net_gateway"

should work

[MBNH]

Thank you, but this is the opposite of what I want. I know how to route from within the config file on the client. I know how to push routes down from the server.

What I need is a way to EXEMPT a particular route. Specifically, the local network at the client site. For example, let's say a client's gateway were 10.10.10.211, and his local network were 10.20.30.0, and I want to route all 10.0.0.0 traffic down the VPN EXCEPT for his local network:

route 10.0.0.0 255.0.0.0 10.10.10.211 exempt 10.20.30.0 255.255.255.0

Obviously, that last bit is just polemical. Want I need to know is how to exempt or exclude a range from the client's config, whether that config is local or pushed from the server.

[Traffic]

his local network were 10.20.30.0, and I want to route all 10.0.0.0 traffic down the VPN EXCEPT for his local network:

route 10.0.0.0 255.0.0.0 10.10.10.211 exempt 10.20.30.0 255.255.255.0

sounds;like a subnet conflict

[MBNH]

sounds like a subnet conflict

Exactly. Which is why I am trying to get an exemption - "route all traffic in THAT range except for THIS part of that range."

Is there a way to exempt a particular subnet regardless of other rules? Is there a way to exempt the local network, if it falls into the range you are pushing down the tunnel?

[Traffic]

If your client LAN is 10.20.30.0/24 then that route will exist by default.
If you add route for 10.0.0.0/8 over the vpn then it should just work ...

Have you tried it ?

[MBNH]

If your client LAN is 10.20.30.0/24 then that route will exist by default.
If you add route for 10.0.0.0/8 over the vpn then it should just work ...

Have you tried it ?

Yes, that's what lead to this post. They don't just work. The same settings under XP worked flawlessly, but since we moved to the latest client and Win 7, things haven't gone as well. Anyway, yes, the users are finding that they cannot use local printers/scanners/devices while VPNed into work. They have to disconnect the VPN. This is a many to many setup, so there are resources on the other side of the server that can overlap their local IP addressing scheme. Client sites that the OPENVPN server also supports that have IPSec tunnels with networks like 192.168.1.0/24. I was hoping to cure it with some "exempt" parameter, if it even exists.