Page 1 of 1

Newbie question - Split tunneling

Posted: Tue May 04, 2021 1:38 am
by mikegaum
Hello,

Could someone give me an hint on how to achieve the following :

I would like users to access the corporate network via split tunneling to reduce traffic while still having access to the Internet for everything else.

Problem is, I have a few public IP ranges that are only accessible from the corporate network.

Example :

- My VPN range is 172.27.40.0/24
- The VPN Gateway is 172.27.40.1
- My corporate network is 10.10.10.0/24
- My OpenVPN corporate network address is 10.10.10.10
- The public IP range I'm trying to reach is 66.66.66.66/29

Obviously, my knowledge in networking is limited. How should I proceed?

Thank you,

Mike

Re: Newbie question - Split tunneling

Posted: Tue May 04, 2021 1:41 am
by TinCanTech
mikegaum wrote:
Tue May 04, 2021 1:38 am
How should I proceed?
Learn how to do your job ..

Re: Newbie question - Split tunneling

Posted: Tue May 04, 2021 3:34 am
by mikegaum
TinCanTech wrote:
Tue May 04, 2021 1:41 am
mikegaum wrote:
Tue May 04, 2021 1:38 am
How should I proceed?
Learn how to do your job ..
Really?

I won't try to justify why I'm asking, but that's a poor response.

EDIT : When I try to add the following route to my client :

route add 66.66.66.66 mask 255.255.255.224 172.27.40.1

It seems to be stuck on 172.27.40.1 when trying to contact the 66.66.66.66 network.

Re: Newbie question - Split tunneling

Posted: Tue May 04, 2021 2:21 pm
by chilinux
With OpenVPN AS, you should not be modifying the client ovpn configuration file or modifying the server iptables directly. It is intended that you do everything either through the admin web portal or using sacli
VPN
The settings you are looking for are in the admin portal, go to Configuration -> VPN Settings

Then to enable split tunneling change to No the following setting:
"Should client Internet traffic be routed through the VPN?"

To add subnets to be routed through the VPN, go to:
Specify the private subnets to which all clients should be given access (one per line)

The term "private subnets" might be a little confusing. They are using the term only to mean ones in which the traffic is kept private via the VPN tunnel. This is not the same as RFC 1918 private address spaces. You can include 66.66.66.64/27 in this setting.

Once you made the changes, make sure you click the "Save Settings" button and confirm restarting the OpenVPN AS service.

You should then go back to the customer web portal and download the updated configuration file.

Re: Newbie question - Split tunneling

Posted: Tue May 04, 2021 3:33 pm
by mikegaum
I was pushing the route directly on the client for testing purposes.

Indeed, I thought "Private Subnets" meant internal corporate networks which is why those are working as intended at the moment.

Will try this as soon as possible.

Thanks for the support!

EDIT : Works great... feel bad for not trying it sooner.

Thanks!