OpenVPN: Route only specific subnetwork through vpn - works for single IP adresses

2

2

I was trying to route only specific subnet/single through open vpn.

I have read several questions like this on superuser, and even found good answer to my question.

So I am now able to route single ip adress through vpn. To do this I have added something like this to /etc/openvpn/client.conf:

route-nopull

route 1.2.3.4 255.255.255.255
route 5.6.7.8 255.255.255.255
route 9.10.11.12 255.255.255.255

However this solves only half of my problem, because what I would like to do is to route specific subnetworks through vpn, not only single adresses.

I have tried following 

route x.y.19.178 255.255.255.0

which, I believe, should route whoule traffic to x.y.19.178/24 subnetwork through vpn, but it doesnt. Instead of that I can see following error in syslog:

Dec 18 16:11:01 wi-dev ovpn-client[31421]: /sbin/ip route add x.y.19.178/24 via z.a.0.1
Dec 18 16:11:01 wi-dev ovpn-client[31421]: ERROR: Linux route add command failed: external program exited with error status: 2

Any idea what might be wrong with my client (or server) config?

running.t

Posted 2014-12-18T16:05:07.587

Reputation: 228

Can you update your configuration example so that the last two octets of your IP address are the actual values in your configuration? Those numbers are relevant and may cause errors if they're not correct. – heavyd – 2014-12-18T16:13:23.400

I have updated it. However the problem occured regardless network mask I have used. I have tried for x.y.19.178/1 x.y.19.178/24 x.y.19.178/30 etc. – running.t – 2014-12-18T16:17:49.347

Answers

3

Your netmask is not valid for the IP address you're using. Specifically, if you take your IP addresses and convert them to binary you get:

IP   = x.y.19.178            = XXXXXXXX.YYYYYYYY.00010011.10110010
MASK = 255.255.255.252 (/30) = 11111111.11111111.11111111.11111100

In order for an IP address to be valid for a subnet, the IP must be at the beginning of the subnet, or in binary terms, the IP can only have 1s where the subnet mask has 1s. So, if we remove the last 1 from the IP we get:

IP   = x.y.19.176            = 00001010.00000000.00010011.10110000

So, the start of your subnet should actually be x.y.19.176. You'll have to calculate appropriate IPs if you want a subnet different than a /30. I used this tool to do some calculations.

Also note: if you just run the command given in the log at the command line 

/sbin/ip route add x.y.19.178/24 via z.a.0.1

You'll get the error back. On my machine I got "Invalid argument", whereas this command succeeded:

/sbin/ip route add 192.168.19.176/24 via 192.168.0.1

heavyd

Posted 2014-12-18T16:05:07.587

Reputation: 54 755

Asked: 2014-12-18T16:05:07.587

Viewed: 7 866 times

Active: 2014-12-18T17:32:55.580