Join Log in
Score:0
avatar Server

How to change openvpn client route gateway

in flag
PRF

I have an openvpn 2.4 running very well, but a new requirement comes. I need to create iptables rules for diferent client ip segments for giving they access to a few services in our network.

So I decided to follow this document https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/

I think it works, because the client is getting the appropiate ip but once connected the vpn side network is unreachable.

I managed to make it work by doing this:

server side:

route add -net 10.8.1.0 netmask 255.255.255.0 dev tun0

client side (macos)

sudo route add -net 10.8 -interface utun4
sudo route delete -net 192.168.13
sudo route add -net 192.168.13 10.8.0.1

The untouched network table after connecting is this (trunked for convenience)

Internet:
Destination        Gateway            Flags        Netif Expire
default            192.168.0.1        UGScg          en0
10.8.1.1           10.8.1.1           UH           utun4
127                127.0.0.1          UCS            lo0
127.0.0.1          127.0.0.1          UH             lo0
192.168.13         10.8.0.1           UGSc           en0

The problem that I saw is the gateway assigned for the client is the same as the ip assigned to him (configured in ccd/user1).

What I need to do is to route a wider range (10.8) to the tun interface and then route our lan subnet (192.168.13) via 10.8.0.1 gateway, which is the default.

It is possible to replace this routes only with openvpn server configurations?

Here is my config files

server.conf

dev tun0
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_8UY7QzRl8yjjzVAx.crt
key /etc/openvpn/easy-rsa/pki/private/server_8UY7QzRl8yjjzVAx.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 192.168.13.5"
push "dhcp-option DNS 192.168.13.2"
push "block-outside-dns"
push "route 192.168.13.0 255.255.255.0"
push "redirect-private"

client-config-dir /etc/openvpn/ccd

client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3

ccd/user1

ifconfig-push 10.8.1.1 10.8.1.2

I'll appreciate any help.

370
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.