Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Split Tunnel

    OpenVPN
    3
    10
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      five0va
      last edited by

      I've been trying to setup a split tunnel for a few hours now and no luck (pfSense 2.2.2). I've used several Forum posts describing how to do this in the Advanced Configuration, but just have not had any luck. Is there a definitive guide on how to do this? Seems to be several different ways? What I'm trying to do is Road Warrior style, where a remote worker is accessing through the VPN, but his/her internet bound traffic does not go through the VPN. I've added push "route"; to each network in the client config below, but to no avail. I've tried this with just adding these options in the server advance config, then I took them out and put them in just the client config and I also put them in both and tried that. Still got nothing. The errors I get are:  ERROR: Linux route add command failed: external program exited with error status: 2, but the Initialization sequence says that it does complete, but the routes just aren't there.

      Any help would be greatly appreciated! I have never done the split tunnel before and have only looked into it as a request recently. Thank you in advance!

      dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 205.169.63.250 1195 udp
lport 0
auth-user-pass
ca pf02-udp-1195-ca.crt
tls-auth pf02-udp-1195-tls.key 1
ns-cert-type server
comp-lzo adaptive
passtos
route-nopull
route 151.0.0.0 255.0.0.0 vpn_gateway
route 198.233.4.0 255.255.240.0 vpn_gateway
route 198.233.12.0 255.255.240.0 vpn_gateway
route 205.169.62.0 255.255.254.0 vpn_gateway
route 0.0.0.0 128.0.0.0 net_gateway
route 128.0.0.0 128.0.0.0 net_gateway
      1 Reply Last reply Reply Quote 0
      • F
        five0va
        last edited by

        I have it figured out and am working on a detailed write up. I should have this written up by tomorrow.

        1 Reply Last reply Reply Quote 0
        • F
          five0va
          last edited by

          The way I solved this is multi-fold: With an existing OpenVPN tunnel, uncheck the "Redirect Gateway" box, then add all the local networks that are on your pfSense installation.

          example:

          192.168.0.0/24,192.168.1.0/24

          Now add the following to Advanced Configuration:

          push "route network subnet";

          Please note, a new line needs to be added per each network. This is the only way it would work for me.

          example:

          push "route 192.168.6.0 255.255.255.0";
          push "route 192.168.7.0 255.255.255.0";
          push "route 172.16.1.0 255.255.254.0";

          Now, you need to add these routes to the client's .ovpn config. I could not get my routes to work properly without it… maybe someone has a reason why? But this is what works for me and all my co-workers.

          After downloading the Archive (or however you get the .ovpn), edit the .ovpn and at the end of file add the following in regards to the above examples:

          route 192.168.6.0 255.255.255.0 vpn_gateway
          route 192.168.7.0 255.255.255.0 vpn_gateway
          route 172.16.1.0 255.255.254.0 vpn_gateway

          I hope this helps someone else out.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            If you put all the necessary subnets in the Local Network/s box then the routing should be taken care of. Using OpenVPN Client Export package, it should put all the necessary "route" statements in the client config.
            If the list of subnets gets long, and they are all in a nice group, you can put just a summarized route, e.g.
            192.168.0.0/20 - 16 "/24" together = 192.168.0.0 through to 192.168.15.255

            Also:
            172.16.1.0 255.255.254.0 is a /23 - that is actually 172.16.0.0 through to 172.16.1.255 - so it is more accurately described by:

            172.16.0.0 255.255.254.0

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              The route statements on the client side should be handled by the push route statements, unless the clients have route-nopull enabled.

              ETA: I see the route-nopull in the client config.  Why complicate things?  I like as much config as I can get away with on the server side.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • F
                five0va
                last edited by

                I agree that I shouldn't have to add anything to the client side when the push is in the Advanced config… BUT, it just didn't work for me. I took the nopull statement out and it just didn't work. So I had to put in the route statements for this to work properly.

                1 Reply Last reply Reply Quote 0
                • F
                  five0va
                  last edited by

                  Revision to adding routes to the client, if you put pull in your client config file, then it will pull what's in the Advanced Config from the Server.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    The OpenVPN Client Export package is your friend.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • F
                      five0va
                      last edited by

                      That's what I used, but it wasn't pulling the routes. I had to dink around with it to work fully. Read through the OpenVPN docs and found the pull command, which saved me a lot of extra steps in the client config. If the Client Export had the pull option already there, then I wouldn't of ran into this issue… I don't think.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Hmm.  Works fine for me.  What are you exporting to?

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.