How to route only specific subnet to OpenVPN Server

Question

I want to route only traffic for 192.168.255.0/24 through my remote openvpn server.

This answer suggests adding the following to the client .ovpn

route-nopull 
route 192.168.255.0 255.255.255.0

However, this doesn't work as when I connect and then check my external IP address using the below, I get the IP of my openVPN server, not my local machine.

dig +short myip.opendns.com @resolver1.opendns.com

For context, the point of the VPN is to allow several remote clients to access each other from arbitrary locations, but they should use the default local routing for everything else: www PoE cameras etc. I set up openVPN server using https://github.com/kylemanna/docker-openvpn

client is OpenVPN 2.4.7 on Ubuntu 16.04

my local .ovpn config

client
nobind
dev tun
remote-cert-tls server

remote 157.245.203.172 1194 udp

route-nopull
route 192.168.255.0 255.255.255.0

# various certificates / keys

redirect-gateway def1

My server openvpn.conf

# client specific configurations
client-config-dir ccd

# allow clients to reach other
client-to-client

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/XXX.XXX.XXX.XXX.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/XXX.XXX.XXX.XXX.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

score 6 · Accepted Answer · answered Oct 17 '19 at 18:11

6

Remove the:

redirect-gateway def1

From your client configuration.

answered Oct 17 '19 at 18:11

SYN

1,751
9
14

score 3 · Answer 2 · answered Jul 16 '21 at 12:17

This was frustrating because there is so much misinformation available:

Add these lines to the client.ovpn

# reject route all traffic through vpn
# even if it is configured on the server
pull-filter ignore "redirect-gateway"
# route only selected traffic through vpn
# subnets 10, 20 and 30
route 192.168.10.0 255.255.255.0
route 192.168.20.0 255.255.255.0
route 192.168.30.0 255.255.255.0

Everything else will go through the net_gateway, not through VPN. It is optional to accept the local DNS through VPN, or use a custom client DNS.

I use this at work, to access selected home services through VPN permanently, without interfering with my work (speed, DNS).

If you need a work DNS, then an option is to deny DNS/DHCP through VPN, but override selected services through the hosts file.

NerdUno · Answer 3 · 2022-06-25T13:30:41.213

1

The last comment almost works with Windows 11 and OpenVPN... but not quite. Here's the fix.

pull-filter ignore redirect-gateway
route-nopull
route 10.8.0.0 255.255.255.0

edited Jun 25 '22 at 13:30

answered Jun 25 '22 at 13:25

NerdUno

11
2

It might be worth quoting the actual comment in your answer – Daniel K Jun 28 '22 at 14:40

How to route only specific subnet to OpenVPN Server

3 Answers3