OpenVPN enable split tunneling, client to overload over their own Internet connection

Question

I am trying to enable split tunneling with my VPN network. I am using OpenVPN to host my VPN network and have follwed the steps to get split tunneling working however my clients still get the: 0.0.0.0 {VPN local address} push

Here is my server.conf file on the OpenVPN server, which has a real public interface with a real IP.

port 1194
proto udp
dev tun
#ssl stuff
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/dh2048.pem
#server statement and subnet for VPN IPs /24 for simplicity
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # for persistant IPing of VPN clients
push "route-nopull"
push "route 172.16.0.11 255.255.255.255 vpn_gateway" #internal node i want VPN clients to have access to
push "route 172.16.0.3 255.255.255.255 vpn_gateway" #internal node I want VPN clients to have access to
push "dhcp-option DNS 172.16.0.3" # so VPN clients use internal dns for resolution
client-to-client
[rest of config omitted]

Client's Route table where: 172.16.250.10 is the client's VPN address {publicIP} = is the public IP of the client's network {localIP} = is the localIP such as 192.168.x.x of the local network it is on, not the VPN.

Destination      Gateway        Genmask         Flags
0.0.0.0          10.0.0.10      0.0.0.0         UG
{publicIP}       {localIP}      255.255.255.255 UGH
10.0.0.0         10.0.0.10      255.255.255.0   Ug
10.0.0.10        0.0.0.0        255.255.255.255 UH   # don't really understand this statement
172.16.0.3       10.0.0.10      255.255.255.255 UGH  #from push command in server.conf
172.16.0.11      10.0.0.10      255.255.255.255 UGH  #from push command in server.conf
{client's localSubnet}    0.0.0.0        255.255.255.0   U

IPTables on the OpenVPN box, this box has the public interface used to accept incoming OpenVPN requests.

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.0.0.0/24      172.16.0.3          /* Allow VPN IPs to connect to the internal DNS for resolution */
ACCEPT     all  --  10.0.0.0/24      172.16.0.11         /* Allows VPN IPs to connect to homeserver */

I believe these are the only configs involved with VPN connectivity in my setup. So I am a little confused since my VPN clients recieve the explicity push statements into their route tables, however client's still cannot use their local gateway for IP requests not destined for the 10.0.0.0/24 or 172.16.0.0/24 networks..

Thank you for the help and time in advanced.

-Jim

I believe you need Nat rules on the vpn server to Nat between clients and the 172 network — deed02392, Aug 28 '15 at 09:14

score 2 · Answer 1 · answered Jul 28 '19 at 22:34

I've done something similar recently.
But as I have to choose between redirecting all traffic and only the vpn traffic.
I have configured it in the client.ovpn file.
So I have 2 files. One to redirect all traffic through VPN (unsecured networks) And another for split tunneling (secure networks).

I only add follow lines in client.ovpn

Method 1:

Add this line to the client.conf file or add --route-noexec in openvpn linecommand

route-noexec

(Client's Route table with this option)

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    302    0        0 wlan0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     302    0        0 wlan0

And curl ipinfo.io shows real client location.

Method 2:

Add this lines to the client.conf file

route-nopull
route 0.0.0.0 128.0.0.0 net_gateway
route 128.0.0.0 128.0.0.0 net_gateway

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     128.0.0.0       UG    0      0        0 wlan0
0.0.0.0         192.168.1.1     0.0.0.0         UG    302    0        0 wlan0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
128.0.0.0       192.168.1.1     128.0.0.0       UG    0      0        0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U     302    0        0 wlan0

And curl ipinfo.io shows real client location.

Your Case.

If you add this lines in client.conf file

route-nopull
route 172.16.0.11 255.255.255.255 vpn_gateway
route 172.16.0.3 255.255.255.255 vpn_gateway
route 0.0.0.0 128.0.0.0 net_gateway
route 128.0.0.0 128.0.0.0 net_gateway

I test it in one of my clients and:

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     128.0.0.0       UG    0      0        0 wlan0
0.0.0.0         192.168.1.1     0.0.0.0         UG    302    0        0 wlan0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
128.0.0.0       192.168.1.1     128.0.0.0       UG    0      0        0 wlan0
172.16.0.3      10.8.0.1        255.255.255.255 UGH   0      0        0 tun0
172.16.0.11     10.8.0.1        255.255.255.255 UGH   0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     302    0        0 wlan0

And curl ipinfo.io shows real client location.

OpenVPN enable split tunneling, client to overload over their own Internet connection

1 Answers1

Method 1:

Method 2:

Your Case.