Route all traffic *except*...

Got a problem with Viscosity or need help? Ask here!

jurgen

Posts: 3
Joined: Tue Jul 07, 2009 10:34 pm

Post by jurgen » Tue Jul 07, 2009 10:46 pm
Hi,

Brilliant software, thanks for making it so easy. Just one question...

My situation is that I'm behind a restrictive firewall at work, and I'm trying to get "proper" Internet access. I've installed and configured OpenVPN on a server I have on the public Internet and successfully tested the VPN at home. (The only wrinkle will be the proxy server at work, but I'll tackle that tomorrow.)

My question is how to get it to route everything to the VPN except private networks. The server is sending
Code: Select all
push "redirect-gateway def1 bypass-dhcp"
, and that's working fine - all my traffic gets sent to the tunnel. Problem is, I want the standard 192.168.x.x and the 10.x.x.x networks to be routed locally, not through the VPN. I tried mucking about with the "Networking" panel, but I buggered up something pretty badly and I'm a bit hesitant to try again.

I might run into DNS issues as well - but I'm thinking that if the DNS servers given to me by my physical connection's DHCP server are in the private network space, and those IPs are routed locally, it should be fine. The OpenVPN server isn't pushing out any DNS stuff.

Many thanks.

jurgen

Posts: 3
Joined: Tue Jul 07, 2009 10:34 pm

Post by jurgen » Wed Jul 08, 2009 11:48 am
Slight change: I ran into DNS issues when running it at work, so I'm now getting OpenVPN to push out some public DNS addresses. I'd still like to be able to route private networks out through the network connection, rather than the VPN connection.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Jul 09, 2009 3:09 am
Hi jurgen,
Problem is, I want the standard 192.168.x.x and the 10.x.x.x networks to be routed locally, not through the VPN.
Try the following:

1. Go to the Viscosity menu, select Preferences, and Edit your connection
2. Click on the networking tab
3. Click the small "+" button in the Routing section to add a new route
4. Enter a Route/IP of "192.168.0.0" (no quotes). Enter a submask of "255.255.0.0". Enter a gateway of "net_gateway". Click the Add button.
5. Repeat steps 3 and 4, expect with a Route/IP of "10.0.0.0", and a submask of "255.0.0.0"
6. Click the Save button and try connecting.

The "net_gateway" command instructs the traffic to be routed through your normal local gateway rather than through the VPN connection.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

jurgen

Posts: 3
Joined: Tue Jul 07, 2009 10:34 pm

Post by jurgen » Thu Jul 09, 2009 10:21 am
Aw fantastic, that works great. Thanks very much!

AlexK

Posts: 8
Joined: Fri Jul 17, 2009 8:08 pm

Post by AlexK » Fri Aug 07, 2009 4:05 am
Hi James,

I have a similar issue to this. But instead of IP masks, I'd like to use port white- or blacklists. Is it possible to tell OpenVPN to just use it for say ports 80 and 25 or for everything except ports say 443 and 8080?

AlexK

Posts: 8
Joined: Fri Jul 17, 2009 8:08 pm

Post by AlexK » Wed Aug 12, 2009 7:09 pm
Anyone?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Aug 14, 2009 2:31 am
Hi AlexK,
Is it possible to tell OpenVPN to just use it for say ports 80 and 25 or for everything except ports say 443 and 8080?
I'm afraid not, as the OS's routing table does not take port numbers into account. If you really need to just redirect specific ports you could try playing with something like SSH port forwarding/tunnelling to get certain traffic to go through the VPN. It might be possible to achieve a similar effect with iptables. However unfortunately there is no simple or direct way to achieve "port routing".

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

AlexK

Posts: 8
Joined: Fri Jul 17, 2009 8:08 pm

Post by AlexK » Tue Aug 18, 2009 7:28 pm
hi James,

that's a pity. :(

I will look into port routing. Hopefully there is a fix.

Thanks anyway.
8 posts Page 1 of 1