OpenVPN Support Forum

Hello Community,

i have a sophos Firewall, and want to configure a split tunnel for O365 at the client.
Unfortunately i can not add multiple routes at the client side. Only the last route is added to the routing.

Here is a part of my Client Config File:

max-routes 100
route-nopull
route remote_host 255.255.255.255 net_gateway
; Alles außer O365 Server über vpn_gateway


;route 0.0.0.0 128.0.0.0 vpn_gateway
;route 128.0.0.0 128.0.0.0 vpn_gateway
route 104.146.128.0 255.255.128.0 net_gateway
route 13.107.128.0 255.255.252.0 net_gateway
route 13.107.136.0 255.255.252.0 net_gateway
route 13.107.18.10 255.255.255.254 net_gateway
route 13.107.6.152 255.255.255.254 net_gateway
route 13.107.64.0 255.255.192.0 net_gateway
route 131.253.33.215 255.255.255.255 net_gateway
route 132.245.0.0 255.255.0.0 net_gateway
route 150.171.32.0 255.255.252.0 net_gateway
route 150.171.40.0 255.255.252.0 net_gateway
route 204.79.197.215 255.255.255.255 net_gateway
route 23.103.160.0 255.255.240.0 net_gateway
route 40.104.0.0 255.254.0.0 net_gateway
route 40.108.128.0 255.255.128.0 net_gateway
route 40.96.0.0 255.248.0.0 net_gateway
route 52.104.0.0 255.252.0.0 net_gateway
route 52.112.0.0 255.252.0.0 net_gateway
route 52.96.0.0 255.252.0.0 net_gateway
route 52.120.0.0 255.252.0.0 net_gateway

And here is the result:
As i set the 52.96.0.0 routes as last route - this one is added to the routing list.

IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.168.3 192.168.168.79 35
0.0.0.0 128.0.0.0 192.168.174.1 192.168.174.6 258
52.120.0.0 255.252.0.0 192.168.168.3 192.168.168.79 291
127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 331
127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 331
127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 331
128.0.0.0 128.0.0.0 192.168.174.1 192.168.174.6 258
192.168.168.0 255.255.255.0 Auf Verbindung 192.168.168.79 291
192.168.168.79 255.255.255.255 Auf Verbindung 192.168.168.79 291
192.168.168.255 255.255.255.255 Auf Verbindung 192.168.168.79 291
192.168.174.0 255.255.255.0 Auf Verbindung 192.168.174.6 258
192.168.174.6 255.255.255.255 Auf Verbindung 192.168.174.6 258
192.168.174.255 255.255.255.255 Auf Verbindung 192.168.174.6 258
212.185.58.181 255.255.255.255 192.168.168.3 192.168.168.79 291
224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 331
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.174.6 258
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.168.79 291
255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 331
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.174.6 258
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.168.79 291
===========================================================================

Is this a bug? In the Manual i found, that i can add multiple routes!
Can there be a max-route option on the server which is first taken?

Yours sincerely

Rainer

rainer@schmidles.de wrote: ↑

Wed Apr 13, 2022 7:32 pm

want to configure a split tunnel for O365 at the client

M$ do not allow this.

Hello TinCanTech,

sorry, i do not understand? Who is M$? Microsoft? Microsoft recommends Split Tunnel for O365.
The question is: how can i implement this with OpenVPN?

Microshaft Orrifice will not use your VPN because Microshaft cheat .. so you don't need a split tunnel.


As for adding routes, you can add all the routes you like, doesn't mean they work.

And you obviously have not read your log files for errors.

With Open VPN Access Server it is also possible!?

Split-Tunneling with Access Server
OpenVPN Access Server provides a split tunneling option for any situation requiring an increased number of VPN users. For detailed instructions on setting up split-tunneling on your Access Server, see our resource: Understanding how split tunneling works with OpenVPN Access Server

Do what-ever you like and then watch as M$ O365 does something else..

Hello TinCanTech,

i always read my logfile

In my Logfile from Sophos Connect there is only one "Route add" command for the last entry of my route list. The other configured routes are ignored:

Thu Apr 14 14:22:41 2022 tap-windows6 device [Ethernet] opened
Thu Apr 14 14:22:41 2022 TAP-Windows Driver Version 1.0
Thu Apr 14 14:22:41 2022 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.174.0/192.168.174.3/255.255.255.0 [SUCCEEDED]
Thu Apr 14 14:22:41 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.174.3/255.255.255.0 on interface {A75A52DB-C26C-426E-9443-D907424997D6} [DHCP-serv: 192.168.174.254, lease-time: 31536000]
Thu Apr 14 14:22:41 2022 Successful ARP Flush on interface [17] {A75A52DB-C26C-426E-9443-D907424997D6}
Thu Apr 14 14:22:41 2022 MANAGEMENT: >STATE:1649938961,ASSIGN_IP,,192.168.174.3,,,,
Thu Apr 14 14:22:45 2022 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Thu Apr 14 14:22:45 2022 C:\WINDOWS\system32\route.exe ADD 212.185.58.181 MASK 255.255.255.255 192.168.178.1
Thu Apr 14 14:22:45 2022 Route addition via service succeeded
Thu Apr 14 14:22:45 2022 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.174.1
Thu Apr 14 14:22:45 2022 Route addition via service succeeded
Thu Apr 14 14:22:45 2022 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.174.1
Thu Apr 14 14:22:45 2022 Route addition via service succeeded
Thu Apr 14 14:22:45 2022 MANAGEMENT: >STATE:1649938965,ADD_ROUTES,,,,,,
Thu Apr 14 14:22:45 2022 C:\WINDOWS\system32\route.exe ADD 52.120.0.0 MASK 255.252.0.0 192.168.178.1
Thu Apr 14 14:22:45 2022 Route addition via service succeeded
Thu Apr 14 14:22:45 2022 C:\WINDOWS\system32\route.exe ADD 212.185.58.181 MASK 255.255.255.255 192.168.178.1
Thu Apr 14 14:22:45 2022 ROUTE: route addition failed using service: Das Objekt ist bereits vorhanden. [status=5010 if_index=6]
Thu Apr 14 14:22:45 2022 Route addition via service failed
Thu Apr 14 14:22:45 2022 Initialization Sequence Completed
Thu Apr 14 14:22:45 2022 MANAGEMENT: >STATE:1649938965,CONNECTED,SUCCESS,192.168.174.3,212.185.58.181,995,192.168.178.51,65102

rainer@schmidles.de wrote: ↑

Thu Apr 14, 2022 12:26 pm

i always read my logfile

Then you can see the error ..

Maybe i am blind
For me, the next step in the routing list should be for example
route.exe ADD 52.96.0.0 MASK 255.252.0.0 192.168.178.1, and not a
route.exe ADD 212.185.58.181 (VPN Gateway) MASK 255.255.255.255 192.168.178.1 (net_gateway)
(which fails, because it is already in the routing list)

also when openvpn takes the routes from up to down the first route add command from my O365 Range should be 104.146.128.0 MASK 255.255.128.0 ???

The only route add command from the O365 Range is allways the last route entry from my list.

Yours sincerely

Rainer

The script you run for routing is not logged in the VPN log file.

Hello TinCanTech,

you are right. I have done a few more tests today.
The problem is definitely the App Sophos Connect. If i start openvpn --config [File] the routes were established.
If i import the profile to Sophos Connect only the last route is established. It seems, that Sophos Connect filters the profile

Yours sincerely

Rainer