Client will use VPN to access... OpenVPN Server setting

[radiochuck]

I'm wondering is there's any way to make this choice on the client side, or at the user level.

I want some users to send all traffic through the OpenVPN server in the router, but have others use whichever network they're on to access the internet, but still have access to resources through the OpenVPN server. Is there any way to enable this kind of flexibility? Asus RT-AC68U router. Thanks.

 

[ColinTaylor]

How is the VPN client setup in this scenario? Is it on a remote router that's permanently connected to your VPN server, i.e. a LAN to LAN configuration? If it's LAN to LAN are you using a routed connection (TUN) or a bridged connection (TAP)?

You say, "but have others use whichever network they're on to access the internet". So you have multiple clients each with their own internet gateway?

 

[radiochuck]

No TUN involved. Client (generally me) is on a work network, or cellular data, or a someone else's home network, etc. No special setup between the remote and home (server) network, just the OpenVPN client on the remote computer or mobile device.

Client software is OpenVPN client, on my laptop or mobile phone.

 

[ColinTaylor]

TUN would probably be easier because with TAP you're bridged to the remote LAN. It might work depending on the client software.

With TUN you could add these lines to your client config to override the "Client will use VPN to access = Internet and local network" option and make it "Local network only".

route-nopull
route 192.168.1.0 255.255.255.0

I've just tested this on my Android phone and it works.


Alternatively, you might be able to do something creative with the server's "Allow only specified clients" option on a per user basis.

 

[radiochuck]

I have no need for a router to router VPN tunnel, as I...

a. Have no admin access to any of the other networks to set that up.
b. Only want the client device (laptop, phone etc) to have connectivity through the VPN.
c. I don't want someone else's network connecting to mine. I just want my deice to use their ISP to connect remotely to my home-based VPN server.

I'm using this setup now (and have for several years) without any trouble. I mean, the connection is flawless. I'd just like to be able to choose on the fly whether I use my home (VPN server) ISP for internet access when connected remotely, or that of the network to which I'm connected locally.

 

[ColinTaylor]

I have no need for a router to router VPN tunnel, as I...

a. Have no admin access to any of the other networks to set that up.
b. Only want the client device (laptop, phone etc) to have connectivity through the VPN.
c. I don't want someone else's network connecting to mine. I just want my deice to use their ISP to connect remotely to my home-based VPN server.

Er, yes. I understood that from your previous answer.

I'm using this setup now (and have for several years) without any trouble. I mean, the connection is flawless. I'd just like to be able to choose on the fly whether I use my home (VPN server) ISP for internet access when connected remotely, or that of the network to which I'm connected locally.

This is a client issue. As such it depends on the capabilities of your client software. I showed you one way of doing using an Android client over a TUN connection. Your client software may have options that allows something similar over TAP.

 

[radiochuck]

@ColinTaylor I reread your last and I kinda get it, but that's something I'm not really familiar with. I'll do a little research and see what I can do. Thank you.

 

[radiochuck]

route-nopull
route 192.168.1.0 255.255.255.0

So, is there an opposite of that? The VPN server/router config for 'Client will use VPN to access' is currently set to "Local network only." Is there a way to modify the client.ovpn to do the opposite of the code above and route all traffic through the router? That just saves me from having to flip the setting on the router and limit any changes to the desired devices. Thank you!!

 

[ColinTaylor]

I guess you'd use this, but I haven't tried it:

route-nopull
redirect-gateway def1

Again, this is for a routed (i.e. TUN) connection. I have no idea if it would work for TAP.

You'd then just have two different VPN profiles that you could select as needed.

 

[radiochuck]

I guess you'd use this, but I haven't tried it:

route-nopull
redirect-gateway def1

Again, this is for a routed (i.e. TUN) connection.

Okay, cool. I'm still learning about the inner workings of VPN. I'll see if I can make it work the way I want it to. Ultimately, I'd like to have two profiles on my device, one that routes all traffic through the VPN server and another that just routes the traffic to my home network through the VPN. Thank you again for sharing your expertise. I appreciate the information.

 

[radiochuck]

@ColinTaylor Okay, so the OVPN client didn't like the 'route-nopull' line in the config, so I only used 'redirect-gateway def1' and seem to have my desired result. Thank you again.

 

[elorimer]

Ultimately, I'd like to have two profiles on my device, one that routes all traffic through the VPN server and another that just routes the traffic to my home network through the VPN.

This is pretty straightforward. Set the server to "both", and export the .conf, duplicate it, and edit the duplicate to ignore the redirect-gateway.

I described it somewhere in this mess: https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/post-523302

 

[radiochuck]

This is pretty straightforward. Set the server to "both", and export the .conf, duplicate it, and edit the duplicate to ignore the redirect-gateway.

I described it somewhere in this mess: https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/post-523302

I think I did the opposite, essentially. Works like a charm. Thank you all so much.