25/03/2010
Using OpenVPN to route a specific subnet to the VPN
I have an OpenVPN server that has the push "redirect-gateway"
directive. This directive changes the default gateway of the client to be the OpenVPN server, what I wanted though was to connect to the VPN and access only a specific subnet (eg. 100.200.100.0/24) through it without changing the server config (other people use it as a default gateway).
In the client config I removed the client
directive and replaced it with these commands:
tls-client
ifconfig 172.18.0.6 172.18.0.5
route 172.18.0.0 255.255.255.0
route 100.200.100.0 255.255.255.0
What the previous lines do:
tls-client: Acts as a client! (“client” is an alias for “tls-client” + “pull” … but I don’t like what the pull did–>it changed my default route)
ifconfig 172.18.0.6 172.18.0.5: The tun0 interface will have ip 172.18.0.6 on our side and 17.18.0.5 on the server side. The IPs are not random, they are the ones OpenVPN used to assign to me while I was using the “client” directive.
route 172.18.0.0 255.255.255.0: Route all packets to 172.18.0.0 on the tun0 interface. In order to access services running on the OpenVPN server (172.18.0.1) I needed a route to them.
route 100.200.100.0 255.255.255.0: Route all packets to 100.200.100.0 on the tun0 interface
A traceroute to 100.200.100.1 now shows that I accessing that subnet through the vpn.
Filed by kargig at 11:25 under Linux,Networking,Privacy
Tags: client, Linux, Networking, openvpn, Privacy, route, server, vpn
5 Comments | 30,021 views
[…] Excerpt from: Using OpenVPN to route a specific subnet to the VPN | Into.the.Void. […]
What about the case where the IPs obtained are not consistent neither
for the client (172.18.0.6) nor for the server (172.18.0.5)?
[…] This post was mentioned on Twitter by George K.. George K. said: Using OpenVPN to route a specific subnet to the VPN http://ff.im/-i5gSW […]
[…] Using OpenVPN to route a specific subnet to the VPN | Into.the.Void. […]
Hi,
just a short notice, as i stumbled about this:
If you leave “client” and put “route-nopull” in addition (at least when using tap device) then you are fine already and do not need to put specific ip addresses.