Home / server / Questions / 1083394
In Process
PRF
Asked: 2021-11-13 07:40:22 +0800 CST

How to change openvpn client route gateway

  • 772

I have an openvpn 2.4 running very well, but a new requirement comes. I need to create iptables rules for diferent client ip segments for giving they access to a few services in our network.

So I decided to follow this document https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/

I think it works, because the client is getting the appropiate ip but once connected the vpn side network is unreachable.

I managed to make it work by doing this:

server side:

route add -net 10.8.1.0 netmask 255.255.255.0 dev tun0

client side (macos)

sudo route add -net 10.8 -interface utun4
sudo route delete -net 192.168.13
sudo route add -net 192.168.13 10.8.0.1

The untouched network table after connecting is this (trunked for convenience)

Internet:
Destination        Gateway            Flags        Netif Expire
default            192.168.0.1        UGScg          en0
10.8.1.1           10.8.1.1           UH           utun4
127                127.0.0.1          UCS            lo0
127.0.0.1          127.0.0.1          UH             lo0
192.168.13         10.8.0.1           UGSc           en0

The problem that I saw is the gateway assigned for the client is the same as the ip assigned to him (configured in ccd/user1).

What I need to do is to route a wider range (10.8) to the tun interface and then route our lan subnet (192.168.13) via 10.8.0.1 gateway, which is the default.

It is possible to replace this routes only with openvpn server configurations?

Here is my config files

server.conf

dev tun0
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_8UY7QzRl8yjjzVAx.crt
key /etc/openvpn/easy-rsa/pki/private/server_8UY7QzRl8yjjzVAx.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 192.168.13.5"
push "dhcp-option DNS 192.168.13.2"
push "block-outside-dns"
push "route 192.168.13.0 255.255.255.0"
push "redirect-private"

client-config-dir /etc/openvpn/ccd

client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3

ccd/user1

ifconfig-push 10.8.1.1 10.8.1.2

I'll appreciate any help.

routing openvpn

0 Answers