OpenVPN Client - want only selected IPs for VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Riffer
DD-WRT Novice


Joined: 01 Mar 2008
Posts: 33

PostPosted: Wed Jun 24, 2015 19:44    Post subject: OpenVPN Client - want only selected IPs for VPN Reply with quote
I have OpenVPN running. But I do not want to pass all my traffic over the VPN but only some IPs.

My best google result for a solution is from here.

An example tells to split the traffic use these commands:

Quote:
route-nopull
route vpn.exampletronix.com 255.255.255.255 net_gateway
route secretnet.exampletronix.com 255.255.255.255 vpn_gateway
route 192.168.1.0 255.255.255.0 vpn_gateway


I thought I understand this use case but it does not work for me:

Quote:
route 192.168.0.162 255.255.255.255 vpn_gateway
route 192.168.0.0 255.255.255.0 net_gateway


After VPN going up my whole internal network is down and I only got i back by pulling the modem plug, reboot the router and push

nvram set openvpncl_enable=0
nvram commit

over the telnet interface to make it work again for me.

So I beg your help in this case. How can it be done? I want to tunnel only some but not all IPs over the VPN.

I did another test now:

Quote:
route-nopull
route 192.168.0.162 255.255.255.255 vpn_gateway
route 192.168.0.249 255.255.255.255 net_gateway


Here is what I got in the log:

Quote:
Clientlog:
20150624 21:45:21 I OpenVPN 2.3.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 1 2015
20150624 21:45:21 I library versions: OpenSSL 1.0.2 22 Jan 2015 LZO 2.08
20150624 21:45:21 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20150624 21:45:21 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20150624 21:45:21 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20150624 21:45:21 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20150624 21:45:21 Socket Buffers: R=[180224->131072] S=[180224->131072]
20150624 21:45:21 I UDPv4 link local: [undef]
20150624 21:45:21 I UDPv4 link remote: [AF_INET]109.201.137.1:3478
20150624 21:45:21 TLS: Initial packet from [AF_INET]109.201.137.1:3478 sid=fa34eebb 627ea95c
20150624 21:45:21 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20150624 21:45:22 VERIFY OK: depth=2 C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert High Assurance EV Root CA
20150624 21:45:22 VERIFY OK: depth=1 C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert High Assurance CA-3
20150624 21:45:22 VERIFY OK: depth=0 C=MY ST=Wilayah Persekutuan L=Labuan O=eVenture Limited CN=*.hide.me
20150624 21:45:22 NOTE: --mute triggered...
20150624 21:45:22 5 variation(s) on previous 3 message(s) suppressed by --mute
20150624 21:45:22 I [*.hide.me] Peer Connection Initiated with [AF_INET]109.201.137.1:3478
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'state'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'state'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'state'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'status 2'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'log 500'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:24 SENT CONTROL [*.hide.me]: 'PUSH_REQUEST' (status=1)
20150624 21:45:24 PUSH: Received control message: 'PUSH_REPLY dhcp-option DNS 208.67.222.222 dhcp-option DNS 208.67.220.220 topology subnet ping 5 ping-restart 15 explicit-exit-notify route-gateway 10.3.49.204 redirect-gateway ifconfig 10.3.49.204 255.255.255.0'
20150624 21:45:24 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20150624 21:45:24 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20150624 21:45:24 N Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
20150624 21:45:24 OPTIONS IMPORT: timers and/or timeouts modified
20150624 21:45:24 OPTIONS IMPORT: explicit notify parm(s) modified
20150624 21:45:24 OPTIONS IMPORT: --ifconfig/up options modified
20150624 21:45:24 NOTE: --mute triggered...
20150624 21:45:24 1 variation(s) on previous 3 message(s) suppressed by --mute
20150624 21:45:24 I TUN/TAP device tun1 opened
20150624 21:45:24 TUN/TAP TX queue length set to 100
20150624 21:45:24 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20150624 21:45:24 I /sbin/ifconfig tun1 10.3.49.204 netmask 255.255.255.0 mtu 1500 broadcast 10.3.49.255
20150624 21:45:24 /sbin/route add -net 192.168.0.162 netmask 255.255.255.255 gw 10.3.49.204
20150624 21:45:24 /sbin/route add -net 192.168.0.249 netmask 255.255.255.255 gw 192.168.1.1
20150624 21:45:25 I Initialization Sequence Completed
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'state'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'state'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'state'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'status 2'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'log 500'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'state'
20150624 21:48:58 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'state'
20150624 21:48:58 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'state'
20150624 21:48:58 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'status 2'
20150624 21:48:58 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00

ca /tmp/openvpncl/ca.crt management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp cipher aes-128-cbc auth sha1 auth-user-pass /tmp/openvpncl/credentials remote nl.hide.me 3478 tun-mtu 1500 mtu-disc yes fast-io tun-ipv6 nobind persist-key persist-tun mute-replay-warnings reneg-sec 0 route-nopull route 192.168.0.162 255.255.255.255 vpn_gateway route 192.168.0.249 255.255.255.255 net_gateway


As far as I understand

Quote:
20150624 21:45:24 /sbin/route add -net 192.168.0.162 netmask 255.255.255.255 gw 10.3.49.204
20150624 21:45:24 /sbin/route add -net 192.168.0.249 netmask 255.255.255.255 gw 192.168.1.1


looks good. But after this I cannot open any Web address on clients with 192.168.0.162 or 192.168.0.249. Other IPs at the same time have no problem.

What am I doing wrong here?
Sponsor
Riffer
DD-WRT Novice


Joined: 01 Mar 2008
Posts: 33

PostPosted: Fri Jun 26, 2015 8:38    Post subject: Reply with quote
Solution:

I removed

Quote:
route-nopull
route 192.168.0.162 255.255.255.255 vpn_gateway
route 192.168.0.249 255.255.255.255 net_gateway


and added

192.168.0.111/32 to policy based routing.

According to
http://jodies.de/ipcalc?host=192.168.0.111&mask1=32&mask2=

thats a mask for only one IP and only 192.168.0.111 uses the vpn tunnel for now.

To have more systems using it I could change the policy mask to present more than one ip adress.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum