Routing Specific IP over OpenVPN

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

pbix
Developer
Posts: 1373
Joined: Fri Aug 21, 2009 5:09 pm

Routing Specific IP over OpenVPN

Post by pbix »

I have two houses these days and I have installed OpenVPN on my routers and its been working flawlessly.

Both router1 & router2 are connected to the Internet with VPN between them. They have separate subnets.

Now I want to route connections to a specific public IP address to go through the VPN link such that they always appear to come from router1's WAN address. On router2 I added a route in the route table for this specific IP address.

After adding the route I do a ping from router2, no response. I attempt to open a TCP connection and I see conntrack entries that look perfect in router2. But router1 seems to be ignoring this traffic. No conntrack entry. I looked in all the iptable entries on router1 and I do not see anything that should reject this traffic.

So now I am confused and seeking some clues. Please help if you can.
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Routing Specific IP over OpenVPN

Post by ispyisail »

from the web
How can I configure the OpenVPN client to ONLY route traffic through the VPN that is destined for a single, specific IP address?
Add to the server config:

Code: Select all

push route 10.8.0.x 255.255.255.255

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Routing Specific IP over OpenVPN

Post by ispyisail »

This is my server config

Code: Select all

/etc/openvpn/server.conf

Code: Select all

mode                  server
port                  1194
proto                 udp
tls-server
ifconfig              10.8.0.1 255.255.255.0
topology              subnet
client-config-dir     /etc/openvpn/ccd
client-to-client




cipher                BF-CBC
keysize               128

dev                   tun
keepalive             25 180
status                /var/run/openvpn_status
verb                  3


dh                    /etc/openvpn/dh1024.pem
ca                    /etc/openvpn/ca.crt
cert                  /etc/openvpn/server.crt
key                   /etc/openvpn/server.key
tls-auth              /etc/openvpn/ta.key 0

persist-key
persist-tun
comp-lzo

push "topology subnet"
push "route-gateway 10.8.0.1"


route 192.168.25.0 255.255.255.0 10.8.0.2
route 192.168.10.0 255.255.255.0 10.8.0.4
route 192.168.15.0 255.255.255.0 10.8.0.10
route 192.168.99.0 255.255.255.0 10.8.0.11
route 192.168.1.0 255.255.255.0 10.8.0.3

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Routing Specific IP over OpenVPN

Post by ispyisail »

Suspect the config will be different depending on if your source is behind the VPN server or client?

pbix
Developer
Posts: 1373
Joined: Fri Aug 21, 2009 5:09 pm

Re: Routing Specific IP over OpenVPN

Post by pbix »

The source is any machine on the OpenVPN router2 LAN. These addresses are 192.168.2.x.

I want traffic to this one public IP to route through the VPN to the other router1 (the VPN client).

I tried your suggestion. The router table on router2 is modified to be pretty much what I had previously had but your solution seems cleaner.

Still it seems that when the traffic gets to router1 it does not go anywhere. Pings do not get any response.
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Routing Specific IP over OpenVPN

Post by ispyisail »

Did you try

Code: Select all

push "route x.x.x.x 255.255.255.255 10.8.0.1"
where x.x.x.x is your destination address and 10.8.0.1 is your gargoyle openvpn server address

pbix
Developer
Posts: 1373
Joined: Fri Aug 21, 2009 5:09 pm

Re: Routing Specific IP over OpenVPN

Post by pbix »

I want to route through the openvpn client. How does adding a route to the openvpn server help? Am I missing something?
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Routing Specific IP over OpenVPN

Post by ispyisail »

My understanding was "push" was pushing it to the client?


Pushed to client

Code: Select all

push "topology subnet"
push "route-gateway 10.8.0.1"
For routes behind the server

Code: Select all

route 192.168.25.0 255.255.255.0 10.8.0.2
route 192.168.10.0 255.255.255.0 10.8.0.4
route 192.168.15.0 255.255.255.0 10.8.0.10
route 192.168.99.0 255.255.255.0 10.8.0.11
route 192.168.1.0 255.255.255.0 10.8.0.3
Could be wrong

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Routing Specific IP over OpenVPN

Post by ispyisail »

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

pbix
Developer
Posts: 1373
Joined: Fri Aug 21, 2009 5:09 pm

Re: Routing Specific IP over OpenVPN

Post by pbix »

# Push routes to the client to allow it
I guess this refers to the openvpn client? In my case that is 192.168.5.1.

Code: Select all

root@tpwifi:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.xx.xx     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
192.168.2.0     10.8.0.1        255.255.255.0   UG    0      0        0 tun0
192.168.5.0     *               255.255.255.0   U     0      0        0 br-lan
root@tpwifi:~# 
Above is the routes in the client. It already seems to have the routes it needs according to the comment you post. And there are currently no "push" statements in server.conf.

Also when I add a "push" in server.conf I do not see any effect in the client's route table.

Routes in the server look like this.

Code: Select all

root@BixelRouter:/etc/openvpn# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.xx.xx     0.0.0.0         UG    0      0        0 eth1
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
66.175.212.222  10.8.0.2        255.255.255.255 UGH   0      0        0 tun0
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.5.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
The IP 66.175.212.222 is the one IP I am trying to route through the VPN.
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM

Post Reply