How do I except specific ports when using a VPN?

2

I'm using OpenVPN on Windows 10. I'd like to exclude traffic on certain ports (for example, SSH) from the VPN and instead use the underlying network. Can this be done?

On Linux, I'd imagine using iptables with -p tcp --dport 22 to redirect to the underlying device instead of the VPN tunnel device to do this. What are my options on Windows?

The VPN has (so far) assigned me an IP in the 10.9.0.0/16 range. The underlying network gives me an IP in 10.13.0.0/16, and most of my SSH traffic goes to 10.105.0.0/16 in the underlying network, or to Github (nslookup tells me that's 192.30.252.128).

muru

Posted 2015-11-08T23:07:06.690

Reputation: 975

OpenVPNs client doesn't support this, some commercial VPN products do to my knowledge. – Linef4ult – 2015-11-09T12:22:45.920

@Linef4ult so this must be handled by the VPN client? Nothing to be done on the OS side? – muru – 2015-11-09T15:13:15.280

@muru -- Is the host you want to ssh to in the same LAN as the VPN client or a different one ? Please add full details to your question – dotvotdot – 2015-11-12T12:27:39.807

@dotvotdot could be either - I might want to SSH to Github or to a PC in the next room. Does it make a difference? – muru – 2015-11-12T12:28:49.597

The problem leads to very complicated routing rules. If you add two examples to your question I will try to answer those specifically. – dotvotdot – 2015-11-12T12:41:35.530

@dotvotdot I'd prefer a general answer, but I have added more details. – muru – 2015-11-12T12:46:21.030

Answers

1

Your home LAN is 10.13.0.0/16, I presume your Home gateway is 10.13.0.1 Your VPN subnet is 10.9.0.0/16, I presume your VPN gateway is 10.9.0.1 then we can add these routing rules:

To route your SSH via the LAN gateway not the VPN

route add 10.105.0.0 mask 255.255.0.0 10.13.0.1

To route GIT via your the LAN gateway not the VPN

route add 192.30.252.128 mask 255.255.255.255 10.13.0.1

dotvotdot

Posted 2015-11-08T23:07:06.690

Reputation: 496

1So, this can only be done on the basis of the destination IP, but not based on the port? – muru – 2015-11-12T13:54:26.877

As pointed out to you already -- openvpn does not filter anything on port numbers. This is the only way you can achieve your result in Windows. [edit: that I know of] – dotvotdot – 2015-11-12T13:57:34.817

But, maybe it's my Linux background confusing me, but, again, is the VPN client supposed to do this? (I asked the other commenter too, but no response). – muru – 2015-11-12T14:00:31.653

OpenVPN client or server does not/can not and probably never will filter on ports, this is achieved in Linux with iptables ..I am not aware of a product solution like iptables with Windows. – dotvotdot – 2015-11-12T14:03:32.143

Asked: 2015-11-08T23:07:06.690

Viewed: 1 213 times

Active: 2015-11-12T13:52:21.957