Don't route all traffic through VPN by client configuration
Posted: Wed Dec 19, 2018 6:01 pm
by samb
Hello,
I have a OpenVPN server setup at home on my local LAN. I use OpenVPN client on iOS and Windows to connect to my VPN side LAN and also route internet traffic through the VPN tunnel.
But sometimes I don't want the Internet traffic to route through the tunnel. So on the client I have created two OpenVPN-profiles. Default all traffic are sent to the tunnel. And the config that I want to use for only accessing the VPN side LAN I have added this:
The config without this works as expected. I can access VPN side LAN and Internet through the home gateway.
This is my configurations!
Server Config
port 123
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.55.1"
push "dhcp-option DOMAIN example.com"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
Client Config
client
dev tun
proto udp
remote example.com 123
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
pull-filter ignore "redirect-gateway"
CERT AND KEYS STRIPPED...
When using the above client config I cannot access VPN side LAN or Internet via VPN. But when skipping
I can access VPN side LAN and Internet. Local VPN side LAN DNS are used so i can access server.example.com on my home network.
Note when using the config to not route Internet traffic I also want to be able to use VPN side LAN DNS for *.example.com domains, but client side DNS for other domains on Internet.
Please help me out with advice here.
I could setup two different VPN servers with different push-directives, but that's not an ideal solution for me.
Thanks!
//Sam
Re: Don't route all traffic through VPN by client configuration
Posted: Thu Dec 20, 2018 10:18 pm
by samb
For reference I solved it by adding any of the following lines (according to what I want to filter out from my client)
you should remove pull-filter ignore "redirect-gateway" and you can use your dns and connect to your lan as nomal but everything else will go client local traffice
I used this one to vpn to connet only my dns server at home to block ad and google ad and it workes as good and all ad have been blocked by my dns at home.
Re: Don't route all traffic through VPN by client configuration
you should remove pull-filter ignore "redirect-gateway" and you can use your dns and connect to your lan as nomal but everything else will go client local traffice
I used this one to vpn to connet only my dns server at home to block ad and google ad and it workes as good and all ad have been blocked by my dns at home.
Thank you.
But tried this, and not working.. however, I think the windows 10 openvpn client i am using doesn't even see these(and all other tried) changes to the config.
I don't see the routes changed either.
You know, when changes has been made, it makes the prompt to verify the config. This promt only happens so far if i comment something out #.
In the verify prompt "# This is comment" would show up, but not "route 0.0.0.0 192.0.0.0 10.1.10.1" or other like "route-nopull".
So what on earth is happening i wonder now, what can make it not see this.
I should/will try to modify on linux client.
Re: Don't route all traffic through VPN by client configuration
you should remove pull-filter ignore "redirect-gateway" and you can use your dns and connect to your lan as nomal but everything else will go client local traffice
I used this one to vpn to connet only my dns server at home to block ad and google ad and it workes as good and all ad have been blocked by my dns at home.
OK. So in linux this worked for me, Windows client, nope. Thanks . Will try and home in on windows issues.
Re: Don't route all traffic through VPN by client configuration
Posted: Tue Sep 24, 2019 9:32 pm
by 300000
you need to run it under administrator right so it can add or remove routing table.
Re: Don't route all traffic through VPN by client configuration
you need to run it under administrator right so it can add or remove routing table.
Thanks .
Yes, that, and I think I was using the wrong client program. Maybe didn't realize the different versions.. I had the one that installs as "Openvpn connect".. now using the "openvpn gui".
Tho, to me, i thought that in the end they should function the same, but to me they don't. It was the version I could download thru the openvpn access server user portal, which i trying out, but needed the other.
I guess maybe ... maybe.. its a feature of "openvpn connect" that users cant tamper with their config, that there are some check.
So got it solved. it works with what you wrote!.
Re: Don't route all traffic through VPN by client configuration
Posted: Fri Aug 07, 2020 11:00 am
by navis83
For those who want exclude from VPN Gateway all Internet Traffic, but need to include one or more (in my case 192.168.1.x and 192.168.10.x) networks behind VPN Gateway to the client routes, this is possible through this client configuration change:
pull-filter ignore "redirect-gateway" //dosn not consider the server redirect-gateway in order to avoid all traffic through VPN Gateway
route 192.168.1.0 255.255.255.0 vpn_gateway //re-add the first network you need to reach from client through VPN Gateway
route 192.168.10.0 255.255.255.0 vpn_gateway //re-add the second network you need to reach from client through VPN Gateway
I hope it helps.
Re: Don't route all traffic through VPN by client configuration
Posted: Fri Aug 07, 2020 11:25 am
by pw44
Great. can you please share the iptables config working for your setup?
Re: Don't route all traffic through VPN by client configuration
Posted: Tue Nov 24, 2020 11:12 pm
by flexmcmurphy
@navis83
Thank you so much for this help. It solved my problem. Your instructions were very clear and well explained!
. Will try and home in on windows issues.