The Problem
We have a OpenVPN server in our network, which is used to connect to only four machines. With the given configuration below it works, but clients cannot access the rest of the internet, as expected with the given configuration. Now I want to enable split tunnelling, but I cannot get it to work and I do not understand why:
Network Overview
- Network A.B.C.0/25: Worldwide unique, NOT local addresses from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16
- A.B.C.16 - OpenVPN server
- 10.8.0.0/24 - OpenVPN clients
- A.B.C.2, A.B.C.3, A.B.C.5, A.B.C.6 - Machines we need to access
Server Config
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route A.B.C.0 255.255.255.128"
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify
Server has enabled packet forwarding net.ipv4.ip_forward=1
in /etc/sysctl.conf
Clients
client
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3
key-direction 1
<ca>
[...]
</ca>
<cert>
[...]
</cert>
<key>
[...]
</key>
<tls-auth>
[...]
</tls-auth>
The Four Machines in Our Network
... have a static route (persistent after reboot):
route add -net 10.8.0.0/24 gw A.B.C.16
They can send packages pack to the vpn clients.
What I changed, but did not work
- I commented out
push "redirect-gateway def1 bypass-dhcp"
and restarted the vpn server. But then windows clients cannot connect to the four machines. But strangely a Linux client could connect! I have to check this again, so please take this info with a grain of salt. - I tried push "route A.B.C.0 255.255.255.128 10.8.0.1" - won't work