Score:0

Server

VPN Connection to specific URL only

Bert

1/23/24, 9:37 AM

I've installed OpenVPN server on my Ubuntu server via https://git.io/vpn and it works like a charm! However a new request came in and it is rather complicated.

You see, the clients connecting this VPN are doing so, because we have limited acces to some URLs we manage. They need specific IP to access it, thus, they are using the VPN. The problem is, their whole traffic goes thru the VPN. We need to forward the traffic thru the VPN server only if the URL contains the specific domain, we've restricted. Everything else needs to go thru their own ISP.

In lame mans term: If VPN is connected, use local clients internet connection EXCEPT if the URL exuals example.com.

I'm not a big VPN magician, can you aid me a little?

1365

1 + 0

url

openvpn

passthrough

Score:2

Server

vidarlo

1/23/24, 10:17 AM

OpenVPN works on Layer 3. That means you can't generally route based on names, but on IP.

What you are looking for is split tunnel routing, not replacing default route.

What you're looking for is the push route.

You simply remove any routing configuration you have, and include something like the following in the server config:

push "route 10.1.1.1 255.255.255.255 10.0.2.1"

This will add a route to 10.1.1.1/32 via 10.0.2.1 on the client.

+ 18

Bert

1/23/24, 10:59 AM

Thank you! I'll give it a try as soon as I can. Sounds simple enough. Any drawbacks with this maybe?

Tero Kilkanen

1/23/24, 3:37 PM

The drawback is that whenever the IP address of the domain changes, you need to change the configuration and make sure every VPN client reconnects.

Bert

1/24/24, 1:27 PM

That is not a drawaback since everything has static IP. But will this allow me to SSH to other servers on the Office LAN?

vidarlo

1/24/24, 1:30 PM

I don't know what your network looks like. You should look into how routing works, because what you want can probably be configured

Bert

1/24/24, 1:32 PM

So if I want to send the client request when "example.com" url is used, I just have to einter push "route [LOCAL IP RANGE] [NETMASK] [TARGET SERVER]" ?

Bert

1/24/24, 1:37 PM

Not good. All traffic still goes through the VPN server.

vidarlo

1/24/24, 1:43 PM

Can you post your complete server and client config, sans any secrets? Edit your question to include this. What I wrote *does* work, but you probably have some other routing directive in your config as well.

Bert

1/25/24, 9:25 AM

https://pastebin.com/uegc7AbS | I've X-ed out the server IP where the URL is living in the push route. No other routing in the config. Where can I find the client config?

Bert

1/25/24, 9:28 AM

I have a client-common.txt if that helps | https://pastebin.com/v1ji0wtf

vidarlo

1/25/24, 9:51 AM

Remove the `push "redirect-gateway def1 bypass-dhcp"` line. This pushes override of default gateway.

Bert

1/25/24, 10:04 AM

Trying it now. Let's see... Well.... this resulted in blocking me out from the whole network. Unable to access the Firewall or anything now. :-/ Also, there is no internet access for the client as soon as I enable the VPN connection.

vidarlo

1/25/24, 10:07 AM

Then post your routing tables when connected.

Bert

1/25/24, 10:09 AM

Well, that will happen tomorrow probably, because now I have to go to the office and fix it locally. However, I take back what I said about "no internet". There is internet, but the DNS provider is not working. I can access websites with their IP address typed in the browser. What do I have to change for that?

Bert

1/25/24, 10:10 AM

Do I just remove: push "dhcp-option DNS 1.0.0.1" which referrs to the local DNS server?

vidarlo

1/25/24, 10:38 AM

To remove pushing of DNS - yes, you do. And if you use a DNS server in a private network you need a route to reach the dns server as well.

Bert

1/25/24, 10:44 AM

I reached out to a technician, and removed both DNS lines from the config. Now I have internet access, working as intended, but my IP address according to "whyt is my IP" is my own, and not what the VPN servers. If I leave only "dhcp-option DNS 1.1.11", that still disables DNS name check. Why is this happening? I don't get it.

vidarlo

1/25/24, 1:33 PM

What do you actually want? Above you state that internet traffic should *not* go through VPN; here you complain that the IP shown is your own... My gut feeling is that you really have no idea what you're doing, and throwing stuff randomly at the wall to see what sticks.

Bert

1/25/24, 4:38 PM

Oh, dang it... You're right. I should check the incoming IP address on the target server, not on a "what is my IP" site... my bad ! :-D

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: VPN Connection to specific URL only

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.