2

The Problem

We have a OpenVPN server in our network, which is used to connect to only four machines. With the given configuration below it works, but clients cannot access the rest of the internet, as expected with the given configuration. Now I want to enable split tunnelling, but I cannot get it to work and I do not understand why:

Network Overview

  • Network A.B.C.0/25: Worldwide unique, NOT local addresses from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16
  • A.B.C.16 - OpenVPN server
  • 10.8.0.0/24 - OpenVPN clients
  • A.B.C.2, A.B.C.3, A.B.C.5, A.B.C.6 - Machines we need to access

Server Config

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route A.B.C.0 255.255.255.128"
push "redirect-gateway def1 bypass-dhcp"

keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0

cipher AES-256-CBC
auth SHA256

user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 

Server has enabled packet forwarding net.ipv4.ip_forward=1 in /etc/sysctl.conf

Clients

client
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3
key-direction 1
<ca>
[...]
</ca>   
<cert>
[...]
</cert>
<key>
[...]
</key>
<tls-auth>
[...]
</tls-auth>

The Four Machines in Our Network

... have a static route (persistent after reboot):

route add -net 10.8.0.0/24 gw A.B.C.16

They can send packages pack to the vpn clients.

What I changed, but did not work

  1. I commented out push "redirect-gateway def1 bypass-dhcp" and restarted the vpn server. But then windows clients cannot connect to the four machines. But strangely a Linux client could connect! I have to check this again, so please take this info with a grain of salt.
  2. I tried push "route A.B.C.0 255.255.255.128 10.8.0.1" - won't work
dice
  • 63
  • 1
  • 11

1 Answers1

-1

I don't see the issue and it would work with commented the line you have mentioned already under option 1 of What I changed, but did not work...

Could it be possible to provide the log from windows client? In case there would not be really anything I would check what is the final routing table on windows clients once the session is established... I would be more interested on this side to be honest.

Thank you for providing if possible.

Kamil J
  • 1,587
  • 1
  • 4
  • 10
  • Unfortunately I did shut down this server and this set up (we are using a ssh tunnel now) so I cannot provide any info anymore – dice Feb 28 '20 at 13:50