What's new

Configure OVPN for both All traffic and LAN only?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Tedd

Occasional Visitor
I'm trying to get my OpenVPN server to accept VPN connections where the client gets to decide whether to route all traffic through the VPN or just traffic for the LAN.

I've had the server running well using just LAN traffic, but I'm not experienced enough to configure it correctly for what I want. Everything I try just causes connection failures ;)
 
Surely that's a client-side issue and not the server. How do you envisage the client "deciding" how to route?
 
I guess I'm confused. The VPN server configuration for OpenVPN lets me specify whether clients connect to the LAN only, Internet only, or both. Is that just adding configuration options to the client config template?

I see that changing my server configuration from LAN only to Both adds these two lines to my server config:
Code:
push "route-gateway <my router's LAN IP>"
push "redirect-gateway def1"

Now connecting to my server using an unchanged client config causes constant I/O errors:
Code:
2019-03-04 14:36:01 write to TUN/TAP : Input/output error (code=5)
2019-03-04 14:36:01 write to TUN/TAP : Input/output error (code=5)
2019-03-04 14:36:02 write to TUN/TAP : Input/output error (code=5)
2019-03-04 14:36:02 write to TUN/TAP : Input/output error (code=5)
2019-03-04 14:36:03 write to TUN/TAP : Input/output error (code=5)
2019-03-04 14:36:03 write to TUN/TAP : Input/output error (code=5)
2019-03-04 14:36:04 write to TUN/TAP : Input/output error (code=5)
2019-03-04 14:36:05 write to TUN/TAP : Input/output error (code=5)
2019-03-04 14:36:05 write to TUN/TAP : Input/output error (code=5)
<snip>

If I add:
Code:
pull-filter ignore "route-gateway "
pull-filter ignore "redirect-gateway "
..to my client's config, it works again, but as before - only traffic destined for the LAN.

Could you please tell me what I'm missing?
 
Last edited:
This was explored a bit here: OpenVPN Server Redirect Question The idea is to have two separate client configurations.
On the server site, set it for "LAN only". Export that configuration to your client. That pushes the route to the LAN, but the client will continue to use its default gateway to reach all other sites.

Now copy that configuration to a new file, and add to it "redirect-gateway def1".

So, when you want to use OpenVPN to reach your LAN, but not to reach the internet (as, for example, you are in a secure location and your download speed is better than the server's upload speed), use the first configuration. When you are in an insecure location, like a public hotspot, use the second configuration so everything goes over the tunnel.

While you are at it, configure the second server doing the same, so you end up with four configuration files. I use the second server as TCP/443 to avoid being blocked in two specific places from which I often connect, but the idea is to be able to get in through one working connection to fix a nonworking connection on the other server.
 
I have one server, configured with "Client will use VPN to access: Both"

You mention having two separate client configurations, which I have. I'm using the same configuration file in both instances, except adding

Code:
pull-filter ignore "route-gateway "
pull-filter ignore "redirect-gateway "
to the LAN-only configuration, which works. Traffic for the LAN goes through the VPN, external traffic uses the client's network gateway.

The second client configuration without the above options should work to route all traffic through the VPN server, as this is what the server exported as client configuration, yet I'm getting I/O errors as above.

Do I really have to create a second server?
 
1. Of course you don't need a second server. I've found it to be helpful if I've borked the first one and I'm a thousand miles away for several months.
2. Are you trying to do this TAP or TUN? Googling that error suggests your client doesn't have an IP on the interface.
3. Merlin produces matching server and client configurations. My way seems to work with "LAN only". I'll look at the "Both" server configuration. Your way has a server configuration that tells the client to do something, and your client is ignoring it.
 
I am using TAP, primarily to join two networks together (mine and my parents') for CIFS. This is primarily why I need to set LAN traffic only through VPN. However, I also want to be able to connect to the Internet from untrusted networks, so I want a configuration to route all traffic through the VPN.

I don't understand. Is this an unsupported configuration in the Asus configuration? What more do I need to set?
 
I haven't used TAP in a long while, so I'm not going to be much help. I think it might be ignoring the route-gateway is leaving you without a route to the LAN, but I am not sure.

If it was me, I would leave the working TAP connection alone for that use case, and use the second server for a TUN connection for the second use case.
 
If it was me, I would leave the working TAP connection alone for that use case, and use the second server for a TUN connection for the second use case.

I've forgotten about this thread for a while, but thank you elorimer. That was my decision, too. The sheer number of pages on the Internet recommending against TAP in favour of TUN makes me think that this is a rare configuration. I've set up a second server as a TUN, and will also test to see if my original case can work with a TUN.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top