Solved OpenVPN Server split tunnell config

[nino_070]

Dear all,

I am trying to set up an OpenVPN Server on my AX82 router allowing clients to connect either full-tunnell (all LAN + WAN access tunneled through the VPN) or split-tunnell (only LAN access through the VPN).
Previously I hosted my OpenVPN server on another device, and this OpenVPN server config did not push the default gateway to the clients.
Therefore, on the client config I had the option to include redirect-gateway def1 to route internet traffic through the VPN, and exclude it to only route LAN traffic.
How can I achieve the same setup on my Asus merlin server config?

I already found one workaround, but it's not as neat because it forces me to define all subnets I want to access through the NAS in the client config files:

route-nopull  # Prevent the default route from being pushed

route 192.168.0.0 255.255.255.0  # Route the LAN through the VPN

Any help would be appreciated!

 

[ColinTaylor]

There's an option to do that in the OpenVPN General Settings: Client will use VPN to access. If you have multiple local subnets connected to your router please provide more specific information.

 

[nino_070]

There's an option to do that in the OpenVPN General Settings: Client will use VPN to access. If you have multiple local subnets connected to your router please provide more specific information.

That is currently set to "Both", because I want to 2 different client config options: LAN only, or LAN + internet.
However, this seems to push the default gateway to the gateway of the router all the time.
The subnets I need to access is 192.168.0.x, 10.9.0.x (VPN Server subnet) and another subnet that I'm using to run docker containers.

 

[ColinTaylor]

It might be easier to setup two different OpenVPN server instances, one for LAN only and the other for LAN + internet. Otherwise you'll end up having to mess around customising each of the client's config.

In any case it sounds like you're going to have to use "Manage Client-Specific Options" in the OpenVPN Advanced Settings. Enabling that allows you to specify additional routes to be pushed to the clients.

See this similar post: https://www.snbforums.com/threads/need-help-with-vpn-director.79519/post-772271

 

[nino_070]

It might be easier to setup two different OpenVPN server instances, one for LAN only and the other for LAN + internet. Otherwise you'll end up having to mess around customising each of the client's config.

In any case it sounds like you're going to have to use "Manage Client-Specific Options" in the OpenVPN Advanced Settings. Enabling that allows you to specify additional routes to be pushed to the clients.

See this similar post: https://www.snbforums.com/threads/need-help-with-vpn-director.79519/post-772271

Thanks for finding this comment, that was very helpful.
This line:

pull-filter ignore "redirect-gateway"

did exactly what I wanted to achieve.
I considered separating 2 VPN servers, but I think it's way easier to manage this on the client side with 1 additional config line than by having to administer duplicate user accounts, duplicate certificates, etc.

Right now I got it working with the following server setup:
- General settings: Client will use VPN to access = Both
- Advanced settings: in Custom config I have the option to push routing for additional subnets to all clients if needed. The subnets of the router and the VPN subnet are pushed by default by the asusmerlin firmware.

Client config full tunnel: no additional config needed
Client config split tunnel, add the line: pull-filter ignore "redirect-gateway"

Thanks a lot for your help!

 

[elorimer]

I wrote about this at excessive length a few years ago: https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/#post-523302

Since then, I have found that some client implementations have difficulty with the pull-filter instructions, specifically the GL-iNet routers. They've been making progress, but it isn't there yet.