2

So, I have a OpenVPN proxy and this configuration file:

dev tun0 
proto tcp 
remote 0.1.2.3 443 
client 
nobind 
tun-mtu 1500 
tun-mtu-extra 32 
ca ca.crt 
cert user.crt 
key user.key 
tls-client 
tls-auth ta.key 1 
auth MD5 
cipher BF-CBC 
ns-cert-type server 
comp-lzo yes 
auth-user-pass 
persist-key 
persist-tun 
verb 3 
route-method exe 
route-delay 2 
route-metric 512 
route 0.0.0.0 0.0.0.0

How to route all traffic through OpenVPN except 192.168.x.x and 10.x.x.x?

mixaill
  • 57
  • 1
  • 1
  • 7

1 Answers1

2

The information you seek is here:

http://openvpn.net/index.php/open-source/documentation/howto.html#redirect

This describes how to setup openvpn so that all traffic is routed thru the vpn -- the redirect-gateway command creates a static route to your gateway, deletes your default route, then adds a new default gateway that routes thru the vpn. See also

The only steps you're missing from that is to add route to 192.168.x.x/etc which routes out your local interface. You can do this one of several ways, two of which are:

  1. route network/IP [netmask] [gateway] [metric] (see the openvpn manual for more info) -- using this in openvpn config will have it set the routes for your rfc1918 addresses at vpn connect time

  2. Using your os route command, add a static route to the routing table to tell it where to route rfc1918 addresses to. "route -p ADD 10.1.1.0 MASK 255.255.255.0 192.168.1.8". The -p command makes the static route persistent across reboots... if it's a non-windows OS, then setting the routes is done via several ways, and making it persistent across reboots is also done in several different distro-specific ways, so just check google for "create static route on " and you'll find the answer there.

Remember that more specific routing tables win over less specific, so adding a route for 192.168.x.x wins over a route to 0.0.0.0.

pb2q
  • 58,613
  • 19
  • 146
  • 147
CyberTech
  • 56
  • 2
  • 7
  • 6
    I appreciate your contributing to the answer, however, this is just another vague answer found all over the internet. He asked very specifically what he wants and provides his configuration file as well as the subnets he wants routed. What would be the EXACT openVPN command used in your number 1 example? Anyone? seems like nobody has a real concrete answer on this. – Poltron Galantine Jun 25 '14 at 18:14
  • @PoltronGalantine: depends on server config and state of client-side routes. If all server does is `push "route 0.0.0.0 0.0.0.0"` or `push "redirect-gateway def1"` and `server` directive's IP range doesn't interfere with desired subnets, then usually you *don't have to do anything* in client OpenVPN config. Just ensure you have proper routes for 10.0.0.0/8 and 192.168.0.0/16 (i.e. you have those networks configured and up) and traffic to those subnets will be routed as desired (not through the VPN), because such routes are more specific than 0.0.0.0/0 or {0,128}.0.0.0/1 that OpenVPN would add. – drdaeman Jul 27 '14 at 20:51
  • Oh, and if server doesn't push anything (or client doesn't use `client` directive but merely `tls-client`; or has `route-nopull`, which this question doesn't) then desired line for OpenVPN client config is `route 0.0.0.0 0.0.0.0`. That would add a default route through the VPN. More specific routes (like 10.0.0.0/8) would be preferred by OS, so no special declarations are needed for them (except for some very specific use cases). – drdaeman Jul 27 '14 at 21:01