HOME
DOWNLOADS
SHOP
ACTIVATION CENTER
Professional
Support
Community
Contact
Imprint
Privacy Policy
Forum
Wiki
Donations
Bugtracker
Imprint
Privacy Policy
DD-WRT
Community
Contact
Donations
Forum
Wiki
Bugtracker
Imprint
Privacy Policy
Quick Links
Log in
Profile
View unanswered posts
Log in
Username:
Password:
Log me on automatically each visit
OpenVPN Client - want only selected IPs for VPN
DD-WRT Forum Index
->
Advanced Networking
View previous topic
::
View next topic
Author
Message
Riffer
DD-WRT Novice
Joined: 01 Mar 2008
Posts: 33
Posted: Wed Jun 24, 2015 19:44
Post subject: OpenVPN Client - want only selected IPs for VPN
I have OpenVPN running. But I do not want to pass all my traffic over the VPN but only some IPs.
My best google result for a solution is
from here
.
An example tells to split the traffic use these commands:
Quote:
route-nopull
route vpn.exampletronix.com 255.255.255.255 net_gateway
route secretnet.exampletronix.com 255.255.255.255 vpn_gateway
route 192.168.1.0 255.255.255.0 vpn_gateway
I thought I understand this use case but it does not work for me:
Quote:
route 192.168.0.162 255.255.255.255 vpn_gateway
route 192.168.0.0 255.255.255.0 net_gateway
After VPN going up my whole internal network is down and I only got i back by pulling the modem plug, reboot the router and push
nvram set openvpncl_enable=0
nvram commit
over the telnet interface to make it work again for me.
So I beg your help in this case. How can it be done? I want to tunnel only some but not all IPs over the VPN.
I did another test now:
Quote:
route-nopull
route 192.168.0.162 255.255.255.255 vpn_gateway
route 192.168.0.249 255.255.255.255 net_gateway
Here is what I got in the log:
Quote:
Clientlog:
20150624 21:45:21 I OpenVPN 2.3.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 1 2015
20150624 21:45:21 I library versions: OpenSSL 1.0.2 22 Jan 2015 LZO 2.08
20150624 21:45:21 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20150624 21:45:21 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20150624 21:45:21 W WARNING: No server certificate verification method has been enabled. See
http://openvpn.net/howto.html#mitm
for more info.
20150624 21:45:21 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20150624 21:45:21 Socket Buffers: R=[180224->131072] S=[180224->131072]
20150624 21:45:21 I UDPv4 link local: [undef]
20150624 21:45:21 I UDPv4 link remote: [AF_INET]109.201.137.1:3478
20150624 21:45:21 TLS: Initial packet from [AF_INET]109.201.137.1:3478 sid=fa34eebb 627ea95c
20150624 21:45:21 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20150624 21:45:22 VERIFY OK: depth=2 C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert High Assurance EV Root CA
20150624 21:45:22 VERIFY OK: depth=1 C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert High Assurance CA-3
20150624 21:45:22 VERIFY OK: depth=0 C=MY ST=Wilayah Persekutuan L=Labuan O=eVenture Limited CN=*.hide.me
20150624 21:45:22 NOTE: --mute triggered...
20150624 21:45:22 5 variation(s) on previous 3 message(s) suppressed by --mute
20150624 21:45:22 I [*.hide.me] Peer Connection Initiated with [AF_INET]109.201.137.1:3478
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'state'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'state'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'state'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'status 2'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:45:23 D MANAGEMENT: CMD 'log 500'
20150624 21:45:23 MANAGEMENT: Client disconnected
20150624 21:45:24 SENT CONTROL [*.hide.me]: 'PUSH_REQUEST' (status=1)
20150624 21:45:24 PUSH: Received control message: 'PUSH_REPLY dhcp-option DNS 208.67.222.222 dhcp-option DNS 208.67.220.220 topology subnet ping 5 ping-restart 15 explicit-exit-notify route-gateway 10.3.49.204 redirect-gateway ifconfig 10.3.49.204 255.255.255.0'
20150624 21:45:24 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20150624 21:45:24 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20150624 21:45:24 N Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
20150624 21:45:24 OPTIONS IMPORT: timers and/or timeouts modified
20150624 21:45:24 OPTIONS IMPORT: explicit notify parm(s) modified
20150624 21:45:24 OPTIONS IMPORT: --ifconfig/up options modified
20150624 21:45:24 NOTE: --mute triggered...
20150624 21:45:24 1 variation(s) on previous 3 message(s) suppressed by --mute
20150624 21:45:24 I TUN/TAP device tun1 opened
20150624 21:45:24 TUN/TAP TX queue length set to 100
20150624 21:45:24 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20150624 21:45:24 I /sbin/ifconfig tun1 10.3.49.204 netmask 255.255.255.0 mtu 1500 broadcast 10.3.49.255
20150624 21:45:24 /sbin/route add -net 192.168.0.162 netmask 255.255.255.255 gw 10.3.49.204
20150624 21:45:24 /sbin/route add -net 192.168.0.249 netmask 255.255.255.255 gw 192.168.1.1
20150624 21:45:25 I Initialization Sequence Completed
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'state'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'state'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'state'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'status 2'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:46:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:46:55 D MANAGEMENT: CMD 'log 500'
20150624 21:46:55 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'state'
20150624 21:48:58 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'state'
20150624 21:48:58 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'state'
20150624 21:48:58 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'status 2'
20150624 21:48:58 MANAGEMENT: Client disconnected
20150624 21:48:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150624 21:48:58 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00
ca /tmp/openvpncl/ca.crt management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp cipher aes-128-cbc auth sha1 auth-user-pass /tmp/openvpncl/credentials remote nl.hide.me 3478 tun-mtu 1500 mtu-disc yes fast-io tun-ipv6 nobind persist-key persist-tun mute-replay-warnings reneg-sec 0 route-nopull route 192.168.0.162 255.255.255.255 vpn_gateway route 192.168.0.249 255.255.255.255 net_gateway
As far as I understand
Quote:
20150624 21:45:24 /sbin/route add -net 192.168.0.162 netmask 255.255.255.255 gw 10.3.49.204
20150624 21:45:24 /sbin/route add -net 192.168.0.249 netmask 255.255.255.255 gw 192.168.1.1
looks good. But after this I cannot open any Web address on clients with 192.168.0.162 or 192.168.0.249. Other IPs at the same time have no problem.
What am I doing wrong here?
Back to top
Sponsor
Riffer
DD-WRT Novice
Joined: 01 Mar 2008
Posts: 33
Posted: Fri Jun 26, 2015 8:38
Post subject:
Solution:
I removed
Quote:
route-nopull
route 192.168.0.162 255.255.255.255 vpn_gateway
route 192.168.0.249 255.255.255.255 net_gateway
and added
192.168.0.111/32 to policy based routing.
According to
http://jodies.de/ipcalc?host=192.168.0.111&mask1=32&mask2=
thats a mask for only one IP and only 192.168.0.111 uses the vpn tunnel for now.
To have more systems using it I could change the policy mask to present more than one ip adress.
Back to top
Display posts from previous:
All Posts
1 Day
7 Days
2 Weeks
1 Month
3 Months
6 Months
1 Year
Oldest First
Newest First
Page
1
of
1
DD-WRT Forum Index
->
Advanced Networking
All times are GMT
Navigation
Jump to:
Select a forum
Forum Rules and Guidelines
----------------
Forum Rules and Guidelines English
Forum Regeln and Anleitungen Deutsch
Правила форума и рекомендации: Russian
DD-WRT (English)
----------------
Announcements
Atheros WiSOC based Hardware
Broadcom SoC based Hardware
General Questions
ARM or PPC based Hardware
Marvell MVEBU based Hardware (WRT1900AC etc.)
Senao Devices
Ubiquiti Devices
Ralink SoC based Hardware
X86 based Hardware
Broadcom Customer Downloads & Updates
Advanced Networking
Search & Find, Sales & Offers
Hardware DIY / Hardware Mods
DD-WRT (Deutsch)
----------------
Ankündigungen
Atheros WiSOC basierende Hardware
Broadcom SoC basierende Hardware
Allgemeine Fragen
ARM oder PPC basierte Hardware
X86 basierende Hardware
Ralink SoC basierte Hardware
DD-WRT (Español)
----------------
Anuncios
Hardware basado en Atheros
Hardware basado en Broadcom
DD-WRT (Communauté francophone)
----------------
Annonces Officielles
Questions générales
Matériels à base de Broadcom
Matériels à base de Atheros
Matériels à base de Ralink
Le Bistrot
DD-WRT (Russian)
----------------
Объявления
Использование и установка DD-WRT
Оборудование на основе Atheros WiSOC
Оборудование на основе Broadcom
Оборудование на основе X86 / WRAP / Soekris
Личные покупки и продажи
Устройства Ubiquiti
Оборудование на основе Ralink
DD-WRT по-русски
Development
----------------
Generic Questions
Contributions Upload
You
cannot
post new topics in this forum
You
cannot
reply to topics in this forum
You
cannot
edit your posts in this forum
You
cannot
delete your posts in this forum
You
cannot
vote in polls in this forum
You
cannot
attach files in this forum
You
cannot
download files in this forum
Quick Links
Log in
Profile
View unanswered posts
Log in
Username:
Password:
Log me on automatically each visit