Routing a specific IP over our VPN



  • I've got a very basic OpenVPN road warrior setup right now.  It works quite well and so far everyone has been happy with it.  We have a few websites which are restricted to our static IP at the office which our VPN users would like to access as well.  I know there is a way to route all traffic over our network but that isn't really feasible in terms of bandwidth to say the least.

    How do I set up a specific domain or IP address to go through our VPN and out our gateway so off site users IPs appear to be coming from our static IP at the office?

    Thanks in advance for the help and sorry if this has been asked before.


  • Rebel Alliance Developer Netgate

    In the custom options of the OpenVPN on the client side just add:

    route x.x.x.x 255.255.255.255;
    

    Where x.x.x.x is the IP of the remote server. OpenVPN will add a route sending that over the tunnel. I do that at home for quite a few remote sites that need to come from a certain specific location.



  • @jimp:

    In the custom options of the OpenVPN on the client side just add:

    route x.x.x.x 255.255.255.255;
    

    Where x.x.x.x is the IP of the remote server. OpenVPN will add a route sending that over the tunnel. I do that at home for quite a few remote sites that need to come from a certain specific location.

    Maybe you can be more specific.  I'm having a really hard time getting this to work correctly.

    Do I add the route command to the client config file?  Or do I add it to the "client specific options" in the OpenVPN server setup?

    Adding the route to the client config file didn't work at all.  And so far, neither has adding the route on the client specific config page.


  • Rebel Alliance Developer Netgate

    Add it in the actual client config. You can add it in the overrides but you need to push it (push "route x.x.x.x 255.255.255.255"; ).

    If you put a route statement in there for an IP address, it will go over the VPN tunnel. I do this is many places and it works fine. If you are on Windows Vista/7, make sure you are running the client as admin or it can't add routes.



  • @jimp:

    Add it in the actual client config. You can add it in the overrides but you need to push it (push "route x.x.x.x 255.255.255.255";).

    If you put a route statement in there for an IP address, it will go over the VPN tunnel. I do this is many places and it works fine. If you are on Windows Vista/7, make sure you are running the client as admin or it can't add routes.

    Yeah, I disable UAC so everything runs as an admin.  Where do I add the push command?  I assume by overrides you mean the client specific commands page of the OpenVPN server set up?

    So basically I put "route x.x.x.x 255.255.255.255" in the client config file and "push "route x.x.x.x 255.255.255.255"" as a client specific config (or globabally, whatever) right?


  • Rebel Alliance Developer Netgate

    Not 'and' – 'or'.

    You put a route into the client configs if you want one client to use it specifically.
    You push a route in the main server config if you want all clients to use it.
    You push a route in the client specific config if you want to push to just one client.



  • Yeah, I tried all that in every combination.  It still just doesn't work.  I can see the route when I do a "route print" as "x.x.x.x 255.255.255.255 10.0.10.5 10.0.10.6 30" and it doesn't seem to be getting where I want it to go.  Can I put a domain in place of x.x.x.x?

    This is why I'm so confused.  Everything I try seems like it should work.  It just doesn't.  Very frustrating.


  • Rebel Alliance Developer Netgate

    You can put a hostname, but I'm not sure how OpenVPN might handle that if the IP resolves to multiple IPs.

    So the traffic isn't going over the tunnel at all? Or it's going over the tunnel and it just isn't going to the web site?

    Or can you tell the difference since that site is blocked by IP?

    You probably also need outbound NAT setup to cover the OpenVPN subnet. (It's done automatically on 2.0 but I always forget that it's not automatic on 1.2.3)


Locked