Answer the question
In order to leave comments, you need to log in
O
O
onlyjusttruth2020-02-13 20:18:31
onlyjusttruth, 2020-02-13 20:18:31
How to configure an openvpn server so that not all traffic from clients goes through it, but only to certain destination addresses?
Good evening. There is a debian with an openvpn server that was installed using a script provided by the hosting provider. The script installs and configures openvpn to redirect all client traffic through the vpn connection, and also helps to create user configuration files and it worked perfectly.
There was a need to redirect through vpn not all traffic, but only for certain routes. I opened the configuration file on the opevpn server, commented out the lines with push gateway and dns, but by tracert from the client machine I see that all traffic still goes through openvpn and without the specified dns, the network connection will not resolve domain names.
Server settings:
spoiler
proto udp
port 14502
dev tun
topology subnet
persist-key
persist-tun
user nobody
group nogroup
# client-config-dir ccd
### ipv4 setting
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"
# push "redirect-gateway def1 bypass-dhcp" #отправить весь трафик через VPN
### ipv6 setting
server-ipv6 АДРЕСV6_ВЫДАННЫЙ_ПРОВАЙДЕРОМ::/112
# tun-ipv6
# push tun-ipv6
#push "route-ipv6 ::/0"
#push "redirect-gateway ipv6"
### security
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_server.crt
key server_server.key
auth SHA256
cipher AES-192-GCM
ncp-ciphers AES-192-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
### User params:
# ncp-disable
max-clients 10
client-to-client
keepalive 10 120
nice 3
verb 0
mute 10
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1Then I decided to see what's in the client configs. I commented out "setenv opt block-outside-dns" and domain names began to resolve even without assigned dns on the VPN network connection, but traffic still goes through vpn
client
proto udp
remote ТУТ_БЫЛ_АДРЕС_СЕРВЕРА 14502
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_server name
auth SHA256
auth-nocache
cipher AES-192-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
#setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3In routes on the client,
spoiler
Активные маршруты:
Сетевой адрес Маска сети Адрес шлюза Интерфейс Метрика
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.195 50
0.0.0.0 128.0.0.0 10.8.0.1 10.8.0.2 281
10.8.0.0 255.255.255.0 On-link 10.8.0.2 281
10.8.0.2 255.255.255.255 On-link 10.8.0.2 281
10.8.0.255 255.255.255.255 On-link 10.8.0.2 281
ТУТ_АДРЕС_СЕРВЕРА_ОПЕНВПН 255.255.255.255 192.168.1.1 192.168.1.195 306
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.8.0.1 10.8.0.2 281
192.168.1.0 255.255.255.0 On-link 192.168.1.195 306
192.168.1.195 255.255.255.255 On-link 192.168.1.195 306
192.168.1.255 255.255.255.255 On-link 192.168.1.195 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.8.0.2 281
224.0.0.0 240.0.0.0 On-link 192.168.1.195 306
224.0.0.0 240.0.0.0 On-link 172.18.34.193 5256
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.8.0.2 281
255.255.255.255 255.255.255.255 On-link 192.168.1.195 306Why, despite what, judging by the configs, routes should not be pushed, routes are still created on the client?
At the same time, I have a router with padavan firmware and it also has openvpn. And he has no problems. It is enough to remove "push" and only traffic for the VPN subnet goes through VPN, and the rest of the traffic from clients goes directly to the Internet
spoiler
proto udp4
port 1194
dev tun1
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir ccd
push "route 192.168.1.0 255.255.255.0"
auth SHA256
cipher BF-CBC
compress lzo
push "compress lzo"
ca /etc/storage/openvpn/server/ca.crt
dh /etc/storage/openvpn/server/dh1024.pem
cert /etc/storage/openvpn/server/server.crt
key /etc/storage/openvpn/server/server.key
persist-key
persist-tun
user nobody
group nogroup
script-security 2
tmp-dir /tmp/openvpn
writepid /var/run/openvpn_svr.pid
client-connect ovpns.script
client-disconnect ovpns.script
### User params:
ncp-disable
max-clients 10
client-to-client
keepalive 10 60
nice 3
verb 0and if you add push notifications to the config, then all traffic from clients goes through vpn
spoiler
proto udp4
port 1194
dev tun1
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir ccd
push "route 192.168.1.0 255.255.255.0"
auth SHA256
cipher BF-CBC
compress lzo
push "compress lzo"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
ca /etc/storage/openvpn/server/ca.crt
dh /etc/storage/openvpn/server/dh1024.pem
cert /etc/storage/openvpn/server/server.crt
key /etc/storage/openvpn/server/server.key
persist-key
persist-tun
user nobody
group nogroup
script-security 2
tmp-dir /tmp/openvpn
writepid /var/run/openvpn_svr.pid
client-connect ovpns.script
client-disconnect ovpns.script
### User params:
ncp-disable
max-clients 10
client-to-client
keepalive 10 60
nice 3
verb 0
mute 10I understand that I don’t understand something and ask for help, because I can’t solve the problem myself.
2 answer(s)
@onlyjusttruth
@dronmaxman
R
Radjah, 2020-02-13 @onlyjusttruth
push "redirect-gateway def1 bypass-dhcp"is the redirection of all traffic. This must be removed from the server config and client config (without push), if any.
You need to add push "route нужная_подсеть маска"for all the necessary resources.
A
Andrey Barbolin, 2020-02-14 @dronmaxman
What do you have in this file?
ifconfig-pool-persist ipp.txt
Similar questions
K
I
C
E
N
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question