I need configure my openvpn server to provide some LAN resources, but I don't want route all traffic for my clients.
Here is my sample network description:
My LAN is 192.168.1.0/24. Openvpn network is 192.168.100.0/24.
I add push route 192.168.1.0 255.255.255.0 in my server side configuration. I would like to allow my clients can access 192.168.1.0/24, but not other traffic.
How can I do this from server side configuration? Is client side configuration the only way to do this?
This is a client setting.
For Linux clients, in NetworkManager: Edit Connections -> VPN -> (select the vpn configuration you would like to edit) -> Edit -> IPv4/IPv6 -> Routes -> Check the box that says "Use this connection only for resources on its network"
Simply do not add the redirect-gateway in the client or server configuration and the default gateway will not be changed.
Due to I have ipv4 and ipv6, if I don't want openvpn to set my default gw, I had to add the following lines at my client configuration, and I had to add manually the ipv6 routes:
pull-filter ignore "route-gateway"
route-nopull
If I don't want all the ipv4 traffic necessarily going through my openvpn interface, I had to add only the following line
pull-filter ignore "route-gateway"
The line above would make that my traffic to hosts supporting ipv4 and pv6 will be going through my openvpn connection, while my traffic to hosts with only ipv4 will be going through my wireless interface.
My original client configuration before playing was:
client
dev tun
proto udp
remote ovpn.myserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
Regards,
route-nopull in the .ovpn file, or --route-nopull on the command line.
You'll then have to set up the routes yourself, of course.
I found that removing
resolv-retry infinite
from my client.conf stops pushing default route from server.
Try adding pull-filter ignore "route-gateway" to you .ovpn file. Then, remember to set your custom routes.
Example:
...
pull-filter ignore "route-gateway"
route-method exe
route-delay 2
allow-pull-fqdn
route <some subnet IP> <subnet mask> <gateway IP>
route <other subnet IP> <subnet mask> <gateway IP>
...
NOTE:
It works when launching vpn connection from shell:
sudo openvpn --config /home/sfernandez/Documentos/config/sfernandez.ovpn
For work stations, if you are going to use .ovpn file for importing configuration to create a new connection:
sudo nmcli connection import file /path/to/your/file/vpn_config.ovpn type openvpn
Then, you'll need to set this option in your UI connection manager. Something like:
IPv4 Settings -> Routes -> [x] Use this connection only for resources on your network.
(For clients)
--pull-filter ignore "<the beginning of the command, which sets the route>"
To get the exact command, which server pushes, you must:
verbĀ 7 either in the config, or via command
line;echo >/var/log/<whatever you named it>.log;route or gateway;pull-filter ignore.The command may look like redirect-gateway def1.
Then, you'll need to set this option in your UI connection manager. Something like:
IPv4 Settings -> Routes -> [x] Use this connection only for resources on your network.
If you want to set this in the NetworkManager file-based config, it can be accomplished with
never-default=true
Sample config may look like this
[connection]
id=Brno (BRQ2)
uuid=xxx-yyy-zzz-aaa-bbb
type=vpn
[vpn]
ca=/etc/pki/tls/certs/ca-bundle.crt
cipher=AES-256-CBC
connection-type=password
password-flags=2
port=443
remote=ovpn-brq2.example.com
reneg-seconds=0
verify-x509-name=name:ovpn.example.com
tunnel-mtu=1360
service-type=org.freedesktop.NetworkManager.openvpn
[ipv4]
dns-priority=-1
dns-search=~.;example.com;
method=auto
never-default=true
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
never-default=true
https://networkmanager.pages.freedesktop.org/NetworkManager/NetworkManager/nm-settings-nmcli.html
