life ideas

December 3, 2006

OpenVPN 2.0 HOWTO

Filed under: soft Tips, software — manoftoday @ 4:51 am

 

Routing all client traffic (including web-traffic) through the VPN

Overview

By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.

In certain cases this behavior might not be desirable — you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing. While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time.

Implementation

Add the following directive to the server configuration file:

push "redirect-gateway def1"

If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:

push "redirect-gateway local def1"

Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site’s HTTP proxy.

On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0.

When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example:

push "dhcp-option DNS 10.8.0.1"

will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use 10.8.0.1 as their DNS server. Any address which is reachable from clients may be used as the DNS server address.

Caveats

Redirecting all network traffic through the VPN is not entirely a problem-free proposition. Here are some typical gotchas to be aware of:

  • Many OpenVPN client machines connecting to the internet will periodically interact with a DHCP server to renew their IP address leases. The redirect-gateway option might prevent the client from reaching the local DHCP server (because DHCP messages would be routed over the VPN), causing it to lose its IP address lease.
  • Issues exist with respect to pushing DNS addresses to Windows clients.
  • Web browsing performance on the client will be noticably slower.

For more information on the mechanics of the redirect-gateway directive, see the manual page.

Source: OpenVPN 2.0 HOWTO

Advertisements

14 Comments »

  1. Fantastic – solved a problem I was having implementing OpenVPN on EC2

    Comment by Jonathan — October 21, 2008 @ 1:57 am

  2. also please note you’ll need dnsmasq installed on the server too

    Comment by Jonathan — October 21, 2008 @ 6:25 am

  3. HO361A http://dhY3n0fjvTtj48mG9sFnCv.com

    Comment by jeremy — April 8, 2011 @ 1:24 pm

  4. Good post.Thanks!I am find what i want.

    Comment by Lamak — April 15, 2011 @ 8:07 pm

  5. Greetings! This is my first comment here so I just wanted
    to give a quick shout out and tell you I really enjoy reading your blog posts.
    Can you recommend any other blogs/websites/forums that cover the same topics?

    Thanks a lot!

    Comment by football mobile games — March 24, 2014 @ 10:32 am

  6. It’s very simple to find out any topic on web as compared to books, as I found this piece of
    writing at this site.

    Comment by Kristy — April 21, 2014 @ 6:17 pm

  7. Я считаю, что Вы не правы. Я уверен.
    Могу отстоять свою позицию. Пишите мне в PM,
    обсудим.

    Comment by заработок в интернете — May 26, 2014 @ 9:16 am

  8. Hey! I could have sworn I’ve been to this website before but after checking through some of the
    post I realized it’s new to me. Nonetheless, I’m definitely delighted I found it and
    I’ll be book-marking and checking back often!

    Comment by cheat in clumsy ninja — May 30, 2014 @ 7:21 am

  9. Thanks for this article. I’d also like to convey that it can always be hard if you find yourself in school and starting out to initiate a long history of credit. There are many college students who are only trying to live and have long or good credit history can often be a difficult thing to have. dcccfddbeebe

    Comment by Johna479 — July 14, 2014 @ 8:51 am

  10. It’s not working for me, I have the client and server connected and I’m able to ping the both tun devices but browser doesn’t seem to be showing any changes since the IP addess is still the same.

    Comment by G_Known — August 23, 2014 @ 3:44 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: