Multiple configurations (one tunnel all, one split tunnel) with same OpenVPN



  • Hello all,

    I am likely making this more difficult than it needs to be, looking for a way to streamline this.

    On my pfSense, I want to host one single OpenVPN server.

    Then on my clients, I want two configs:
    First config will have all traffic always going through the tunnel
    Second config will have split tunneling. All internet traffic goes out the local interface, and only the defined network will route via the tunnel.

    I believe I can do this by hosting two separate OpenVPN connections on the pfSense on different ports, but that just seems excessive.

    How can I accomplish what I am asking above? Many thanks.



  • Best practice would be to run two servers.

    You may also achieve that with only one, but then you have to connect with different users and certs and set up client specific overrides for each on the server.



  • Did you find a way to do this? I tried running two OpenVPN servers but I want all VPN clients to come from the same subnet and this appears to be an issue. It also requires a different external port which I'm trying to avoid. I'm interested in what you came up with. Thanks



  • @bdf0506 said in Multiple configurations (one tunnel all, one split tunnel) with same OpenVPN:

    I believe I can do this by hosting two separate OpenVPN connections on the pfSense on different ports, but that just seems excessive.

    Go ahead and run two different servers... one full tunnel and one split tunnel. This is exactly what I do... and it's not excessive at all.



  • "Client Specific Overrides" works well for this.

    Create two VPN Users - one for Split and one for Full tunnel.
    Set up client specific override for the full tunnel user and select ".. route all traffic through tunnel.." (Redirect gateway def1) ...

    Export both ovpn configs and import on your client. This works very well for me.



  • "Client Specific Overrides" is the functionality I want but without having different users. Two different servers works if you don't wish to run the VPN servers on the same port, say 443. The only thing I can think of is perhaps running two different servers but on different IPs so I can use the same port. It's not my ideal setup as it will cost me extra for an additional static IP.



  • I haven't tried this myself, but it may be worth a shot.
    Create one user only and export the ovpn config. Save the config as user1_split.ovpn.
    Copy and rename the same config as user1_full.ovpn.

    Edit user1_full.ovpn and manually add "redirect gateway def1" (check correct syntax)

    You may also need to add "--route-nopull" so the server won't push other gateways and override your manually set "redirect gateway def1".

    See:
    https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

    --route-nopull
    When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers.
    When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy