OpenVPN and routing

openvpn

Solution 1:

In order to route all traffic through the VPN server, the VPN client sets the default route for the client machine to the tunnel device. However, the outgoing encrypted packets created by the VPN client need to be routed directly to the VPN server (and not back into the VPN client), and so there is a specific route created to the VPN server going out the local gateway. The routing table looks something like this (where 1.2.3.4 is the VPN server's public IP):

192.168.0.0/24 dev eth0     # Local network
1.2.3.4/32 via 192.168.0.1  # Route to VPN server
default via 10.8.0.2        # Everything else via VPN client

When you access another service on the VPN server it is matched by that specific route and routed directly onto the Internet.

There are a couple ways to address this:

  1. Use the VPN server's private IP when accessing the other services on it (e.g. 10.8.0.1 instead of 1.2.3.4). Ideally this would be done with a DNS server on the VPN server providing split DNS to VPN clients.
  2. Use a dedicated IP address for the VPN server.
  3. Configure port based policy routing on the client so only packets destined for the VPN server on the VPN port number are routed directly onto the Internet.

Related

nginx + php fpm -> 404 php pages - file not found
Nagios alerts using twitter (with twurl) not firing
Desktop virtualization
Restrict postqueue access to admin user
Ext3 Stride/Stripe-Width Calculation for 3-Disk Software RAID1E
Outlook 2010 exchange setup prompts for [email protected] rather than [email protected]
Logging Timeout'd Request in Apache 2.X
HTTPS request fails in Docker >= 1.10 with virtualized network
Best way to synchronise the time on a Windows 2008 Server
Is there a way to get PowerShell 2's remoting features to work between Windows XP machines?
HyperV on Domain Controller or DC on HyperV?
What could cause Apache's time/timezone to change intermittently?