OpenVPN route all traffic except select local subnets

3

Seen several questions attempting to approach this question, but none of them are very helpful. I'd like something definitive that can assist others with this question, as it comes often and rarely seems to garner a valid response.

redirect-gateway works well for me in general, but the one problem with it is that it includes local IP ranges. I understand that OpenVPN needs to do this because it needs to cover its own private IP space, which could be anything as the user arbitrarily assigns this.

It would, however, be great if one could easily gain the same effect as redirect-gateway minus one or two ranges, as appropriate for the local network they're on, so that they can still access local LAN resources (on the physical LAN, not the OpenVPN "LAN"). I'd like to exclude 10.0.0.0 from the tunnel at work, for instance, but all other IP ranges would still be sent over the tunnel.

The easiest way to do this should be to leave redirect-gateway and then add a local route instructing 10.0.0.0 to go over the local interface and gateway, but Windows does not seem to respect metric settings, even with automatic metrics turned off and manually tweaked metrics so that OpenVPN is always above local routes. All traffic continues to route over the VPN tunnel.

The alternative appears to be either full local route bootstrapping or teaching OpenVPN server-side to list routes like 0.0.0.0-9.0.0.0, 11.0.0.0-128.0.0.0, 128.0.0.0-172.17.16.0 (my OpenVPN subnet is 172.17.17.x), 172.17.18.0-254.0.0.0. And that seems like a huge pain, especially considering one must attempt to get the corresponding subnet masks correct.

Any suggestions for an easy, consistent way to configure OpenVPN that actually works (Windows route metrics don't work), preferably client-side, to exclude a few special subnets that may be local to the connecting client from the tunnel would be greatly appreciated.

For the time being I have fallen back to a SSH-provided SOCKS proxy so that I can continue to access network-local resources, but I would greatly prefer the comfort of a VPN that routes all but a few specifically mentioned address ranges.

jeffcook2150

Posted 2013-06-21T20:05:42.673

Reputation: 280

Your local LAN will always take priority over redirect-gateway def1 unless you specify otherwise with redirect-gateway def1 block-local this has nothing to do with metrics .. unless you have a routing conflict :) – dotvotdot – 2016-03-22T02:22:12.570

Answers

1

As mentioned in the comments by @dotvotdot the LAN on which your computer is present won't be routed through the VPN tunnel. This is normal behaviour. If you want to reach "local subnets", that is I guess networks which are not your LAN and not accessible through the tunnel itself, you might want to use the net_gateway keyword which represents your local gateway. That way, the routing will be made by your local router and not the VPN server.

See the example below where the traffic for the 10.59.0.0/16 network should not go through the VPN tunnel.

push "redirect-gateway def1 bypass-dhcp"
push "route 10.59.0.0 255.255.0.0 net_gateway"

Ludovic Kuty

Posted 2013-06-21T20:05:42.673

Reputation: 111

you need way more upvotes. this saved me from being sniffed in my corporate network. thanks :) – Valerio – 2020-02-21T13:21:39.103

Asked: 2013-06-21T20:05:42.673

Viewed: 4 288 times

Active: 2020-02-14T12:02:15.297