What's new

Selective routing for VPN question

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rama

New Around Here
Hi,
I want to make all IP addresses in my subnet go through VPN but i only want the killswitch to apply to selected devices. Is there a way to do this? I was thinking of setting up two VPN clients, making the whole subnet go through one (with the killswitch turned off) but excluding the devices i want to apply the killswitch to by placing them through WAN, then setting these killswitch appliances to go through the second VPN client with killswitch turned on. However, i don't think this works since the WAN setting will just cause those devices to skip the VPN tunnel. Is there a way to do what i'm trying to achieve?
 
I want to make all IP addresses in my subnet go through VPN but i only want the killswitch to apply to selected devices.

Is there a way to do this?

I was thinking of setting up two VPN clients, making the whole subnet go through one (with the killswitch turned off) but excluding the devices i want to apply the killswitch to by placing them through WAN, then setting these killswitch appliances to go through the second VPN client with killswitch turned on. However, i don't think this works since the WAN setting will just cause those devices to skip the VPN tunnel.
Is there a way to do what i'm trying to achieve?

Does this work?

i.e. Everything thru' VPN Client 1, but if VPN Client 1 is DOWN, only LAN device .123 gets Internet access via WAN (VPN Client 2 MUST always be DOWN)

VPN Client 1 Selective Routing GUI (KILLSwitch OFF)
Code:
LAN via VPN         xxx.xxx.xxx.0/24     0.0.0.0     VPN
Router              xxx.xxx.xxx.1        0.0.0.0     WAN
VPN client 2 Selective Routing GUI (KILLSwitch ON)
Code:
LAN via VPN         xxx.xxx.xxx.0/24     0.0.0.0     VPN
Router              xxx.xxx.xxx.1        0.0.0.0     WAN
Failover to WAN     xxx.xxx.xxx.123      0.0.0.0     WAN
 
Last edited:
Does this work?

i.e. Everything thru' VPN Client 1, but if VPN Client 1 is DOWN, only LAN device .123 gets Internet access via WAN (VPN Client 2 MUST always be DOWN)

VPN Client 1 Selective Routing GUI (KILLSwitch OFF)
Code:
LAN via VPN         xxx.xxx.xxx.0/24     0.0.0.0     VPN
Router              xxx.xxx.xxx.1        0.0.0.0     WAN
VPN client 2 Selective Routing GUI (KILLSwitch ON)
Code:
LAN via VPN         xxx.xxx.xxx.0/24     0.0.0.0     VPN
Router              xxx.xxx.xxx.1        0.0.0.0     WAN
Failover to WAN     xxx.xxx.xxx.123      0.0.0.0     WAN

I think this probably would work but means that i have to individually write down every IP address of the devices that i don't want the kill switch to apply to (in your example, dervices like the xxx.xxx.xxx.123). This would be perfect if i wanted most devices to have the killswitch applied and just had one or two devices that i wanted to go through to WAN when the VPN client is down. I have the opposite situation, where i have 40 devices (this number flucutates too) and i'm looking for all but 3 to not have the killswitch applied. I'm beginning to think this might not be easily translatable to a policy routing rules....
 
I think this probably would work but means that i have to individually write down every IP address of the devices that i don't want the kill switch to apply to (in your example, dervices like the xxx.xxx.xxx.123). This would be perfect if i wanted most devices to have the killswitch applied and just had one or two devices that i wanted to go through to WAN when the VPN client is down. I have the opposite situation, where i have 40 devices (this number flucutates too) and i'm looking for all but 3 to not have the killswitch applied. I'm beginning to think this might not be easily translatable to a policy routing rules....
Well if you (re)organise your 40 devices into contiguous CIDR ranges, then that will significantly reduce the number of static rules to to be entered into the GUI, otherwise you will need to resort to scripting to use the appropriate openvpn-event trigger to dynamically achieve your requirement.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top